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Introduction 


■ 


The  Health  Information  Act  sets  out  rules  governing  the  collection,  use  and  disclosure  of  health 
information.  These  rules  will  apply  to  all  health  care  providers  operating  in  the  public  health 
system.  The  details  concerning  a person  s health  status  have  long  been  considered  the  most 
sensitive  type  of  information.  Concerns  about  the  privacy  and  confidentiality  of  health 
information  are  common  to  us  all.  At  the  same  time,  there  is  a strong  view  that  health  care 
information  can  be  used  to  provide  caregivers  better  information  about  people  who  need 
care,  survey  the  health  of  Canadians,  define  the  determinants  of  our  health  and  better  manage 
our  health  care  system.  While  the  Health  Information  Act  provides  for  these  uses  of  health 
information,  it  also  affirms  prevailing  professional  ethical  obligations  respecting  confidentiality 
and  security  of  health  information.  Significantly,  the  Act  also  provides  a right  of  access  by 
individuals  to  their  personal  health  information. 


This  guide  has  been  designed  for  busy  health  care  professionals.  The  user  will  find  a 
comprehensive  Table  of  Contents  and  a Quick  Reference  Guide  that  offers  examples  of  how 
the  Act  might  apply  in  some  common  scenarios.  The  guide  will  not  provide  answers  to 
every  situation.  We  hope  that  it  will  give  the  user  enough  of  a sense  of  how  the  Act 
operates  to  know  when  to  proceed  as  usual  and  when  practices  may  have  to  be  modified. 
Albertans  have  always  trusted  the  judgement  of  their  health  care  professionals.  The 
continued  exercise  of  this  good  judgement  and  an  understanding  of  the  Act  will  provide 
the  necessary  skills  and  knowledge  for  dealing  with  health  information. 


I wish  to  acknowledge  the  many  individuals  who  were  involved  in  the  production  of  this  guide. 
Craig  Jordheim,  B.A.,  LL.B  undertook  the  writing  of  the  guide  with  editing  provided  by  staff 
member,  Roseanne  Gallant,  Health  Information  Compliance  Officer.  Other  staff  members 
contributed  helpful  comments,  including:  Brenda  Chomey,  Health  Portfolio  Officer,  Noela  Inions, 
Legal  Counsel, Tim  Chander,  Communications  Officer,  Marylin  Mun,Team  Leader  - FOIP 
and  Elizabeth  Denham,  Consultant.  Pam  MacKechnie  was  our  very  capable  proofreader. 


A number  of  stakeholders  were  involved  in  the  creation  of  this  publication  and  a special 
thank  you  is  extended  to  the  following:  Mr.Victor  Taylor, Alberta  Medical  Association,  Mr.  Greg 
Eberhart,  Alberta  College  of  Pharmacists,  Dr.  Renae  Rogers,  College  of  Chiropractors  of  Alberta, 
Mr.J.  Swinarski  and  Ms.  Lori  Webb,  College  of  Physicians  and  Surgeons,  Dr.  Hugh  Campbell, 
Alberta  Dental  Association,  Ms.  Cindy  Nikiforuk, Alberta  Health  Record  Association  and  Mr. 
Barry  Cavanaugh,  Pharmacy  Association  of  Alberta.  Involvement  in  the  development  of  this 
document  can  not  be  construed  as  an  endorsement  by  the  aforementioned  stakeholders. 


I also  wish  to  acknowledge  the  “On  the  Record”  a similar  guide  prepared  by  the  Information 
and  Privacy  Commissioner  of  New  Zealand  as  our  inspiration  for  this  publication. 

The  graphic  design  was  supplied  by  Artsmith  Communications. 


I believe  this  guide  provides  a clear  understanding  and  direction  of  how  the  Health  Information 
Act  applies  to  a persons  health  records.  This  Act  is  so  important  for  the  continued 
confidence  of  patients  as  well  as  the  professionals  who  serve  them. 


Frank  Work,  Q.C. 

Assistant  Commissioner,  Health  Information 
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Quick  Reference  Guide 

Some  examples  of  questions  that  this  guide  is  intended  to  answer. 


Are  you  a custodian  or  affiliate  under  the  Act? 

Example  I Page  12 


Is  unrecorded  information  protected  by  the  Act? 

Example  2 Page  1 5 


Is  unsolicited  information  considered  a collection  under  the  Act? 

Example  6 Page  24 


A caregiver  has  asked  for  information  about  a patient. 

Example  II  Page  34 


A parent  has  asked  for  information  about  a child. 

Example  12  Page  35 


The  police  have  asked  for  information  about  a patient. 

Example  15  Page  37 


A patient  has  asked  to  see  their  medical  records. 

Example  19  Page  44 


A patient  disagrees  with  a diagnosis  and  wants  it  corrected. 

Example  20  Page  46 


HEALTH  INFORMATION  - A PERSONAL  MATTER  A Practical  Guide  To  The  Health  Information  Act 


Table  of  Contents 

The  Purpose  of  this  Guide  8 

1 . An  overview  9 

2.  Does  HIA  apply  to  you?  1 0 

General  1 0 

Are  You  a Custodian?  I I 

Are  You  an  Affiliate?  I I 

Example  I - Does  the  Act  Apply?  12 

3.  What  information  does  the  Act  protect?  1 3 

General  1 3 

Health  Information  1 3 

Diagnostic, Treatment  and  Care  Information  14 

Registration  Information  14 

Health  Services  Provider  Information  1 5 

Recorded  vs.  Unrecorded  Information  1 5 

Example  2 - Confidentiality  of  Unrecorded  Information  1 5 

Individually  Identifying  vs.  Non-identifying  Information 

Example  3 - Identifying  vs.  Non-identifying  Health  Information  1 6 

4.  Duties  and  powers  of  custodians  and  affiliates  1 7 

Relationship  between  Custodians  and  Affiliates  1 7 

Establishing  Policies  and  Procedures  1 7 

The  Prime  Directive  1 7 

Ensuring  the  Accuracy  of  Information  1 8 

Privacy  Impact  Statements  1 8 

5.  Collecting  health  information  19 

General  1 9 

Example  4 - Necessity  and  Purpose  in  Collection  20 

Collection  of  Individually  Identifying  Health  Information  20 

Collection  of  Personal  Health  Numbers  2 1 

Collecting  Directly  from  the  Individual  Concerned  2 1 

Collecting  from  aThird  Party  22 

Example  5 - Collecting  Information  from  a Patients  Family  23 

Unsolicited  Information  as  Collection  24 

Example  6 - Receiving  Unsolicited  Information  24 

Collection  using  a Recording  Device  or  Camera 

6.  Protecting  health  information  25 

General  25 

You  must  do  the  following  25 

Physical  Safeguards  26 

Technical  Safeguards  26 

Administrative  Safeguards  27 

Example  7 - Security  Measures  2 7 

Restrict  Access  by  Staff  28 

Example  8 - Need  to  Know  28 

Example  9 - Need  to  Know  28 

Disposal  of  Records  28 


HEALTH  INFORMATION  - A PERSONAL  MATTER  A Practical  Guide  To  The  Health  Information  Act 


TABLE  OF  CONTENTS 


7.  Using  health  information  29 

General  29 

Use  of  Health  Information  29 

Accuracy  and  Completeness  30 

8.  Disclosing  health  information  to  third  parties  3 I 

General  3 1 

Consent  to  Disclosure  32 

Example  1 0 - Openness  in  collection  procedures  avoids  disclosure  problems  later  32 
Duties  and  Discretion  of  Custodians  33 

How  Much  to  Disclose  33 

You  Have  to  Disclose  33 

You  Want  to  or  are  Asked  to  Disclose  without  Consent  34 

Disclosure  to  other  Custodians  34 

Disclosure  to  Continuing  Care  Providers  34 

Example  1 1 - Request  by  Caregivers  34 

Example  1 2 - Disclosure  of  a child’s  counselling  notes  to  parents  35 

Disclosure  due  to  Family/Close  Personal  Relationship  36 

Disclosure  in  Judicial  or  Quasi-Judicial  Proceedings  36 

Disclosure  to  Prevent  Fraud, Abuse  of  the  System  or  Offences  37 

Example  1 3 - Disclosure  to  prevent  abuse  3 7 

Example  1 4 - Disclosure  to  prevent  fraud  3 7 

Disclosure  to  Police  37 

Example  1 5 - Disclosure  to  police  38 

Disclosure  to  Preserve  Health/Safety  38 

Example  1 6 - Disclosure  to  lessen  a serious  and  imminent  threat  38 

Example  1 7 - Disclosure  to  avert  or  minimize  imminent  danger  to  the  health  38 

or  safety  of  any  person 

Disclosure  for  Research  Purposes  39 

Notice  to  the  Recipient  of  the  Disclosure  39 

Notation  of  Disclosures  39 

9.  Right  of  access  to  personal  health  information  40 

General  41 

What  is  a Record?  41 

Requests  for  Access  4 1 

Responding  to  Requests  - what  you  must  do  4 1 

You  must  refuse  Access  42 

You  may  refuse  Access  43 

Example  1 8 - Discretionary  Refusal  of  Access  43 

Example  1 9 - Refusal  to  Access  based  on  information  likely  to  prejudice  health  44 

Fees  44 

1 0.  Correcting  or  amending  health  information  45 

General  45 

Example  20-  Correcting  a Disputed  Diagnosis  46 

I I . Reviews  by  the  Commissioner  47 

General  47 

Whistleblower  Protection  47 

1 2.  HIA  at  a glance  48 

1 3.  Conclusion  50 

14.  Glossary  51 

1 5.  Notes  55 


HEALTH  INFORMATION  - A PERSONAL  MATTER  A Practical  Guide  To  The  Health  Information  Act 


The  purpose  of 
this  guide 

This  guide  is  intended  to  give  health  service  providers  a basic  understanding  of  the  Health 
Information  Act  (HIA)  and  the  areas  they  are  most  likely  to  encounter  in  the  course  of  their 
practice  or  employment 

This  guide  is  not  intended  to  be  an  exhaustive  study  of  the  Act  and  will  not  provide  answers 
to  every  question  that  might  arise  in  practice.  It  points  out  the  major  duties  and  powers 
created  by  the  Act  and  the  rules  governing  how  those  duties  are  to  be  fulfilled  and  how 
those  powers  are  to  be  exercised. 

Examples  are  given  of  situations  that  might  arise  in  practice  and  suggestions  are  made  about 
how  the  Act  might  apply.This  guide  is  not  a substitute  for  legal  advice.  If  you  are  unsure 
about  whether  or  how  the  Act  applies,  you  should  contact  your  HIA  co-ordinator,  Alberta 
Health  and  Wellness,  the  Office  of  the  Information  and  Privacy  Commissioner,  or  a lawyer. 

Important  points  made  in  this  guide  are  printed  in  boldface  type.  Some  words  or  phrases 
are  printed  in  italics.  Italicized  words  or  phrases  have  a specific  meaning  in  the  Act. 

The  glossary  at  the  end  of  the  guide  will  provide  those  definitions.  When  you  are  trying 
to  decide  if  or  how  the  Act  applies,  it  is  extremely  important  to  pay  attention  to  the 
definitions  in  the  Act.  The  definitions  are  crucial  for  determining  even  basic  issues 
such  as  whether  you  are  subject  to  the  Act  or  not. 
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An  overview 

The  Health  Information  Act  is  a detailed  piece  of  legislation  for  a very  simple  reason. 

It  deals  with  complex  issues  concerning  the  collection,  use,  disclosure  and  protection  of 
personal  health  information  used  in  the  health  care  system. 

Patients  are  very  concerned  about  what  is  done  with  their  personal  medical  information. 
They  want  their  information  closely  guarded  so  that  it  is  not  accessed  or  disclosed 
against  their  wishes  - either  on  purpose  or  inadvertently.  No  one  wants  to  seek  treatment 
for  a sensitive  medical  problem  only  to  receive  a surprise  call  from  someone  marketing 
a product  for  the  treatment  of  that  condition.  Similarly,  no  one  wants  their  neighbour  to 
accidentally  discover  what  medications  they  are  taking  or  the  medical  conditions  they 
are  being  treated  for. 

Similar  concerns  apply  to  information  about  people  who  provide  health  services.  Providers 
do  not  want  information  disclosed  which  concerns  their  education,  employment  status, 
or  job  classification. 

At  the  same  time,  it’s  understood  that  people  and  organizations  providing  health  services 
need  to  have  access  to  information  to  treat  people,  conduct  research  and  manage  the 
health  care  system.  Other  people,  such  as  a patients  family,  may  have  a legitimate  reason 
to  be  told  about  the  patient’s  medical  condition. The  authorities  may  need  to  be  warned 
about  people  whose  medical  condition  makes  them  a danger  to  themselves  or  others.  In 
such  cases,  a person’s  right  to  or  desire  for  privacy  may  conflict  with  the  rights  or  desires 
of  others. 

The  needs  and  rights  of  many  people  and  groups  must  be  balanced  against  each  other. 
The  Health  Information  Act,  and  the  regulations  made  under  it,  set  out  the  rules  that 
accomplish  this  balance.  Because  there  are  so  many  ways  in  which  these  needs  and 
desires  can  interact,  the  Act  is  detailed. 

The  Act  attempts  to  balance  the  need  for  privacy  and  confidentiality  against  the  need  for 
the  collection,  use  and  disclosure  of  information.  The  Act  contains  separate  parts  dealing 
with  each  issue.The  introductory  section  of  the  Act  sets  out  the  purposes  of  the  legislation. 
The  remainder  of  the  Act  is  divided  into  parts  dealing  with: 

A a person’s  right  to  access,  correct  or  amend  their  own  information; 

A creating  offences  and  imposing  penalties  to  deter  people  from  breaching  its  provisions; 
and 

A methods  for  reviewing  decisions  made  by  custodians  and  resolving  complaints. 

It  is  important  to  note  that  this  Act  does  not  require  health  service  providers  to  abandon 
everything  they  have  done  in  practice  up  to  now  and  start  over. While  the  Act  must  be 
followed,  professional  codes  of  ethics  continue  to  apply  as  long  as  they  are  not  in  conflict 
with  the  Act.  However,  if  the  Act  prohibits  something,  you  may  not  do  it,  even  if  your 
code  of  ethics  would  allow  it.  If  the  Act  is  silent  on  an  issue,  and  your  code  of  ethics 
either  allows  or  prohibits  you  from  doing  a certain  thing,  you  should  follow  the 
code  of  ethics. 
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DOES  HIA  APPLY  TO  YOU? 


Does  HIA  apply  to  you? 


General 


In  one  sense  the  Act  applies  to  everyone,  because  it  gives  people  a right  of  access 
(subject  to  certain  exceptions)  to  their  own  health  information  and  prevents  others  from 
having  access  to  or  obtaining  disclosure  of  that  information. 


This  Act  is  primarily  concerned  with  information  that  is  collected  and  used 
by  people  and  organizations  in  Alberta’s  publicly  funded  health  system. 

It  does  not  apply  to  all  health  information  about  an  individual. 


Certain  organizations,  such  as  insurance  companies  and  employers,  may  hold  health 
information  in  their  files,  however  they  are  not  custodians  or  affiliates  as  those  terms  are 
defined  in  the  Act,  nor  does  the  Act  govern  the  use  of  health  information  by  them. 
Nevertheless,  these  entities  are  bound  by  the  Act  when  they  obtain  access  or  seek 
disclosure  of  information  to  them. 

It  may  be  helpful  to  think  of  the  public  health  system  as  a controlled  arena. 

Most  patients  understand  that  health  care  is  complex  and  that  many  people  in  the  health 
care  system  need  access  to  their  health  information  to  provide  care  and  treatment. 
People  usually  do  not  object  to  information  being  shared  with  their  nurse  or  specialist  or 
someone  who  is  providing  them  with  homecare,  so  long  as  the  sharing  of  that  information 
is  necessary  for  their  treatment.  Health  care  providers  understand  that  information  about 
them  will  be  collected  and  shared  for  the  purpose  of  managing  the  health  care  system. 

The  vast  majority  of  health  information  is  collected  and  used  by  people  and  organizations 
operating  in  Alberta’s  publicly  funded  health  system.  The  Act  defines  most  of  these  people 
and  organizations  as  either  custodians  or  affiliates. 


MUD 
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Are  You  a Custodian? 


Custodians  and  affiliates  in  the  controlled  arena  are  subject  to  specific  rules  dealing  with 
health  information.  Custodians  are,  in  effect,  gatekeepers  who  must  be  vigilant  in  determining 
what  information  they  will  collect  and  share,  and  with  whom  they  will  share.  It  is  possible  for 
information  to  leave  this  controlled  arena.  For  example,  information  may  be  disclosed  to 
a family  member,  but  this  is  only  possible  if  the  rules  governing  the  controlled  arena  allow 
such  disclosure. 


The  Act  and  accompanying  regulations  define  over  twenty  types  of  custodians.  The  list 
includes  provincial  health  boards,  regional  health  authorities,  nursing  home  operators, 
licensed  pharmacies,  and  the  Ministry  of  Health.  These  custodians  are  easily  identified. 

Individuals  defined  in  the  Act  as  health  services  provider(s)  are  also  custodians,  but  less 
easily  identified.These  individuals  are  paid  under  the  Alberta  Health  Care  Insurance  Plan 
(AHCIP)  to  provide  health  services.  Health  service  providers  include  physicians,  dental 
surgeons,  dental  mechanics,  optometrists,  opticians,  chiropractors,  podiatrists  and  osteopaths. 
Pharmacists  are  also  included,  regardless  of  how  they  are  paid.  A health  service  is  a service 
that  is  directly  or  indirectly  and  partly  or  fully  funded  by  the  Alberta  Department  of  Health 
and  Wellness  and  provided  to  an  individual  for  the  purpose  of: 


Custodians 
and  affiliates 
protect  health 
information 


▲ protecting,  promoting  or  maintaining  physical  and  mental  health; 

▲ preventing  illness; 

▲ diagnosing  and  treating  illness; 

A rehabilitation; 

A caring  for  the  health  needs  of  the  ill,  disabled,  injured  or  dying;  or 

A provided  to  an  individual  by  a pharmacist  engaged  in  the  practice  of  pharmacy 
no  matter  how  the  service  is  paid  for. 

Determining  whether  you  are  a custodian  under  this  provision  requires  careful 
consideration.  Note  that  you  must  consider  not  only  what  services  you  provide, 
but  how  you  are  paid  for  them.  It  is  entirely  possible  for  an  individual  to  provide  the 
same  health  care  service  to  two  different  people  and  only  be  a custodian  with  respect  to 
one  service.  In  some  cases  visits  to  a chiropractor  are  paid  for  by  the  AHCIP  In  such  cases 
the  chiropractor  is  a custodian.  If  the  same  visit  is  paid  for  privately,  the  chiropractor  is 
not  a custodian. 
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Are  You  an  Affiliate? 
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Custodians 

are 

responsible 
for  their 
affiliates 


Under  the  Act  you  are  an  affiliate  if  you  are: 

▲ an  individual  employed  by  a custodian,  e.g.  a receptionist  in  a physician  s office 
or  a physician  with  admitting  privileges  to  a hospital; 

A a person  who  performs  a service  for  a custodian  as  an  appointee,  volunteer 
or  student; 

A a person  who  performs  a service  for  a custodian  under  a contract  or  agency 
relationship  with  the  custodian;  or 

A a health  services  provider  who  has  the  right  to  admit  and  treat  patients  at  a 
hospital  as  defined  in  the  Hospitals  Act. 

Most  custodians  employ  a few  people  and  some  employ  thousands  of  people. 

Other  custodians  have  contracts  with  individuals  or  companies.  Some  custodians, 
such  as  hospitals,  grant  privileges  to  doctors  to  admit  and  treat  patients  in  their  facilities. 
Contracted  individuals  and  companies  could  gain  access  to  information  held  by  the  custodian 
and  in  some  cases  that  may  be  the  whole  purpose  of  their  employment  or  contract. 

If  these  people  or  companies  were  not  subject  to  the  Act,  they  would  not  be  subject 
to  the  same  health  information  rules  of  disclosure.  Consequently,  the  Act  defines  them 
as  affiliates  and  brings  them  into  the  controlled  arena.  It  is  important  for  people  to 
determine  whether  they  are  affiliates  so  they  know  whether  they  are  bound  by  the  Act. 

It  is  just  as  important  for  custodians  to  identify  their  affiliates  because  they 
are  responsible  for  them. 

Ambulance  attendants  and  insurance  agents,  as  defined  in  the  Health  Insurance  Premiums 
Act,  are  specifically  excluded  from  the  definition  of  affiliate  and  are  not  subject  to  the  Act. 


Does  the  Act  Apply? 


Sue  is  a nurse  employed  at  a private  school.  A student  tells  Sue  that  he  is  very  depressed  and  is 

considering  suicide.  Sue  notes  the  incident  in  her  files  and  counsels  the  student.  Sue  wants  to 

phone  the  student's  parents.  Does  the  Act  apply  to  Sue? 

Is  the  school  a custodian  and  if  so,  is  Sue  an  affiliate  of  the  school? 

A The  school  is  not  a custodian  under  the  definition  in  the  Act,  so  the  school  is  not  subject  to 
the  Act.  Because  the  school  is  not  a custodian,  Sue  could  not  be  an  affiliate  under 
the  Act  despite  being  employed  by  the  school. 

Is  Sue  a custodianl 

A As  Sue  is  engaged  in  promoting  or  protecting  the  student's  mental  health  and  diagnosing  or 
treating  his  illness,  she  could  be  a health  services  provider  under  the  Act.  Whether  she  is  a 
custodian  would  be  determined  by  whether  her  services  were  directly  or  indirectly  and  partly 
or  fully  funded  by  the  AHCIP. 

A As  a salaried  employee  of  the  school  with  no  billings  made  through  the  public  health  system, 
she  would  not  be  a custodian  and  the  Act  would  not  apply. 
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Custodians 

are 

responsible 
for  their 
affiliates 
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What  information 
does  the  Act  protect? 

General 
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It  is  important  to  remember  that  health  care  professionals  and  organizations  have 
always  acted  as  gatekeepers  of  personal  health  information.They  have  always  gathered 
information  from  patients  and  health  care  providers  and  used  it  to  provide  care  and 
manage  the  public  health  care  system.They  have  also  protected  that  information, 
preventing  unauthorized  persons  from  obtaining  it.The  Act  sets  out  specific  rules 
about  how  health  information  must  now  be  dealt  with,  but  those  rules  do  not  radically 
change  what  health  care  professionals  have  been  doing  for  a long  time. 


Health  Information 


The  Act  protects  health  information.  While  this  term  appears  to  be  a simple  one, 
this  Act  defines  three  types  of  health  information: 


1 ) diagnostic , 
treatment  and  care 
information 

2)  health  services 
provider 
information 

3)  registration 
information 

When  faced  with  a health 
information  issue  you  must 
determine  what  type  of 
health  information  you  are 
dealing  with,  as  some  of  the 
rules  in  the  Act  do  not  apply 
to  all  three  types  of  health 
information. 


Registration 

Info. 

Health  Services 
Provider  Info. 
Diagnostic, 
Treatment  Info. 
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HEALTH  INFORMATION  - A PERSONAL  MATTER  A Practical  Guide  To  The  Health  Information  Act 


It  is  not  uncommon  to  find  all  three  types  of  information  in  the  same  record,  so  you  must 
be  careful  not  to  inadvertently  disclose  information  you  do  not  wish  to  disclose.  It  is  also 
important  to  note  that  the  Act  deals  with  individually  identifying  versus  non-identifying 
and  recorded  versus  non-recorded  information. 

Health  information  is  collected,  used,  protected  and  disclosed.The  provisions  in  the  Act 
about  protection,  use  and  disclosure  apply  to  all  health  information  regardless  of  when 
the  custodian  acquired  it.  However,  the  provisions  in  the  Act  regarding  the  collection  of 
information  only  apply  to  information  collected  after  the  Act  came  into  force. 


This  guide  focuses  largely  on  diagnostic , treatment  and  care  information,  as  it  is  that  type  of 
information  that  will  be  involved  in  most  cases  when  issues  arise  about  collection,  use 
and  disclosure. 


Diagnostic, Treatment  and  Care  Information 


This  type  of  information  is  what  health  care  professionals  deal  with  on  a routine  basis. 

It  includes  information  about: 

▲ a person  s physical  or  mental  health; 

▲ the  treatment  they  are  receiving  or  have  received; 

A drugs  they  have  been  provided  with; 

A health  care  aids  or  products  they  have  received;  and 

A the  amount  of  health  care  benefits  paid  or  payable  for  services  provided  to  them. 

Registration  Information 


This  type  of  information  includes: 

A demographic  information  (name,  signature,  gender,  photograph,  personal  health 
care  number,  etc.); 

A location,  residency  and  telecommunications  information  (mailing  and  electronic 
addresses,  past  residences,  citizenship/immigration  status); 

A health  service  eligibility  information; 

A billing  information. 

Personal  health  numbers  receive  particular  attention.  Only  custodians  and  persons 
designated  under  the  regulations  may  require  a person  to  provide  their  personal  health 
number.  The  list  of  persons  designated  in  the  regulations  include: 

A ambulance  attendants  and  operators; 

A the  Workers’  Compensation  Board;  and 

A persons  other  than  custodians  who  provide  health  services  and  need  the  number 
to  seek  reimbursement  from  the  Alberta  Health  Care  Insurance  Plan,  for  example, 
massage  therapists. 

When  asking  for  a personal  health  number,  they  must  advise  the  person  of  their  authority 
to  ask  for  the  number.  If  someone  without  authority  requests  a personal  health  number, 
a person  can  refuse  to  provide  the  number. 
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WHAT  INFORMATION  DOES  THE  ACT  PROTECT? 


Health  Services  Provider  Information 


Information  is  often  collected  about  providers  of  health  services.  Certain  custodians,  such  as 
regional  health  authorities  or  the  Department  of  Health  and  Wellness,  use  this  information 
for  workforce  planning  or  determining  whether  a health  care  providers  right  to  practice  has 
been  cancelled  or  suspended.This  type  of  information  includes  such  things  as  the  providers 
name,  address,  gender,  education,  competencies,  job  classification  and  employment  status. 


Recorded  vs.  Unrecorded  Information 


Information  is  not  health  information  unless  it  is  contained  in  a record.  The  Act  contains  a 
broad  definition  of  what  constitutes  a record.  A record  includes  such  things  as  x-rays,  notes, 
letters,  audio-visual  recordings  and  lab  reports.  A record  also  includes  any  other  information 
recorded  or  stored  in  any  manner. 

Custodians  are  often  told  things  that  may  not  get  written  down  in  a record. Technically, 
unrecorded  information  is  not  health  information.  Nevertheless,  it  is  protected  by  the 
Act  and  may  only  be  used  or  disclosed  for  the  purpose  for  which  it  was  provided. 


Unrecorded 
information 
is  protected 
by  the  Act 


EXAMPLE  2 


Confidentiality  of  Unrecorded  Information 


Bill  sees  his  physiotherapist  four  times  a week,  usually  early  in  the  day.  The  physiotherapist  is  a 

custodian  under  the  Act  as  she  is  a health  services  provider  and  the  visits  are  paid  for  by  the  AHCIP. 

Bill  often  looks  a little  worse  for  wear  and  comments  that  he  has  been  doing  a lot  of  partying  lately. 

His  physiotherapist  makes  no  note  of  it  in  Bill's  chart,  as  it  has  no  bearing  on  Bill's  treatment. 

The  physiotherapist  also  treats  Bill's  brother  who  comments  that  he  is  worried  about  Bill's  drinking. 

Can  the  physiotherapist  discuss  Bill's  disclosure  with  his  brother? 

Is  what  Bill  said  health  information? 

▲ As  the  information  was  not  put  into  a record,  it  is  not  health  information. 

▲ Nevertheless,  the  Act  provides  that  such  unrecorded  information  can  only  be  used  for  the 
reason  it  was  provided. 

▲ It  is  difficult  to  pinpoint  exactly  why  Bill  disclosed  the  fact  he  had  been  doing  a lot  of  partying. 
However,  we  can  be  fairly  certain  he  did  not  disclose  it  for  the  purpose  of  having  it  discussed 
with  others.  Consequently,  the  information  cannot  be  disclosed  even  though  no  record  was 
made  of  it. 


Individually  Identifying  vs.  Non-Identifying  Information 

The  Act  is  primarily  concerned  with  the  protection  of  individually  identifying  health 
information.  Not  all  of  the  information  used  in  the  health  care  system  needs  to  be  attached 
to  the  name  of  a specific  patient  or  to  a patient’s  personal  health  care  number.  It  may 
suffice,  particularly  in  the  area  of  research,  to  disclose  health  information  without  identifying 
the  persons  from  whom  it  came.  If  a person  cannot  be  identified  by  the  information 
disclosed,  their  privacy  cannot  be  infringed. 


Because  of  this,  the  Act  allows  non-identifying  information  to  be  collected  and  used  for  any 
purpose.  It  may  also  be  disclosed  for  any  purpose,  other  than  specific  restrictions  for  use 
in  data  matching. 


A 


EXAMPLE  3 


Identifying  vs. 

Non-Identifying  Health  Information 


Residents  of  a small  town  developed  concerns  about  the  safety  of  their  water  supply.  A newspaper 
reporter  contacted  the  town  doctor,  who  was  treating  the  reporter's  neighbour,  and  asked  if  his 
neighbour  was  being  treated  for  E-coli  infection.  The  doctor  responded  that  he  could  not  disclose  that 
information.  However,  he  told  the  reporter  that  all  patients  seen  that  day  showed  signs  of  E-coli 
infection  and  that  he  was  waiting  for  test  results  to  confirm  his  diagnosis.  Was  this  a disclosure  of 
individually  identifying  information? 

▲ It  is  possible  that  this  seemingly  anonymous  revelation  could  identify  individual  patients. 

As  the  reporter  knew  his  neighbour  had  seen  the  doctor  that  day,  he  would  know  the  doctor 
suspected  an  E-coli  infection.  In  a large  city,  such  a disclosure  might  not  identify  individual 
patients. 

▲ It  is  therefore  important  to  assess  the  context  of  the  disclosure  to  ensure  the  information 
does  not  identify  an  individual. 
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DUTIES  AND  POWERS  OF  CUSTODIANS  AND  AFFILIATES 


Duties  and  powers  of 
custodians  and  affiliates 

Relationship  Between  Custodians  and  Affiliates 


Much  of  the  time  custodians  are  assisted  by  their  affiliates.  When  you  need  to  see  a doctor  you 
first  make  an  appointment  with  a receptionist  When  you  arrive  for  your  appointment  the 
receptionist  will  collect  information  from  you.The  next  person  to  see  you  will  probably  be  a 
nurse.The  nurse  and  the  receptionist  are  affiliates  who  are  employed  by  the  doctor/custod/on. 

Custodians  are  responsible  for  their  affiliates.  When  affiliates  collect,  use  or 
disclose  information,  they  do  so  on  behalf  of  custodians.When  patients  provide  information 
to  affiliates,  it  is  as  if  they  had  given  the  information  directly  to  the  custodian.  If  an  affiliate 
does  something  the  Act  forbids  them  to  do,  it  is  as  if  the  custodian  performed  the  act. 

Affiliates  must  comply  with  the  Act  and  regulations  as  well  as  with  the  policies  and 
procedures  adopted  by  their  custodians. 

Specific  duties  and  powers  regarding  collecting,  using,  protecting  and  disclosing  information, 
as  well  as  assisting  people  in  obtaining  access  to  their  health  information  are  discussed 
later  in  this  guide. 

Establishing  Policies  and  Procedures 


Custodians  must  establish  policies  and  procedures  that  they  will  use  in  implementing 
the  Act  and  regulations.  A copy  of  these  policies  must  be  given  to  the  Minister  of  Alberta 
Health  and  Wellness  if  requested.  An  example  of  this  would  be  a policy  that  forbids 
employees  (affiliates)  from  accessing  patient  charts  unless  they  are  directly  involved 
with  the  patient’s  care. 

The  Prime  Directive 


It’s  important  to  understand  that  custodians  can  only  collect,  use  or  disclose  the  amount 
of  health  information  essential  to  carrying  out  the  purpose  for  which  the  information 
was  provided  in  the  first  place. 

In  other  words,  custodians 
must  collect,  use  and 
disclose  the  least  amount 
of  information  necessary 
and  preserve  the  highest 
degree  of  patient  anonymity 
possible  to  carry  out  the 
intended  purpose. 
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Individuals  can  also  expressly  ask  a custodian  not  to  release  certain  aspects  of  their  health 
information  and  these  wishes  must  be  considered  when  disclosure  is  contemplated. 

If  health  information  is  collected,  used  or  disclosed  for  a purpose  other  than  providing  a 
health  service  or  determining  eligibility  to  receive  a health  service,  custodians  must  not 
only  comply  with  the  prime  directive,  they  must  first  consider  whether  aggregate 
health  information  is  adequate  for  the  intended  purpose.  The  Act  requires  custodians  to 
collect,  use  or  disclose  aggregate  health  information  unless  that  level  is  insufficient  for 
their  purpose. 


Ensuring  the  Accuracy  of  Information 


Custodians  must  make  a reasonable  effort  to  ensure  that  health  information  in  their 
custody  or  control  is  accurate  and  complete  before  using  or  disclosing  that  information. 
What  is  reasonable,  simply  requires  the  exercise  of  good  judgement. You  are  not  expected 
to  be  perfect,  but  you  must  take  steps  that  a reasonably  average,  capable  custodian  would 
take.  If  a diagnosis  has  changed,  some  note  about  that  on  earlier  records  may  avoid 
having  another  provider  act  on  an  inaccurate  diagnosis  in  the  future. 

Privacy  Impact  Statements 

If  a custodian  wants  to  change  its  practices  or  information  systems  concerning  health 
information,  or  implement  new  ones,  it  must  prepare  a privacy  impact  statement  (PIA). 
The  statement  must  describe  how  those  changes  or  new  initiatives  will  affect  privacy  and 
it  must  be  reviewed  and  commented  on  by  the  Commissioner  before  the  changes  or  new 
initiatives  are  implemented.  For  example,  a plan  to  increase  collection  of  patient 
information  or  moving  from  paper  to  electronic  patient  files  would  both  be  reason 
enough  to  perform  a PIA. 

Privacy  Impact  statements  demonstrate  that  the  custodian  has  considered  the  privacy 
rules  in  HI  A and  has  weighed  the  impact  on  individual  privacy  against  the  benefits  of  the 
new  system  or  practice. 
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COLLECTING  HEALTH  INFORMATION 


Collecting  health 
information 

General 


The  rules  in  the  Act  about  collecting  health  information  only  apply  to  information 
collected  after  the  Act  came  into  force. 


Remember 
the  prime 
directive 

The  Act  authorizes  custodians  to  collect  information  for  certain  purposes  only. 

There  are  five  limits  to  collection: 


Custodians  must  only  collect  health  information  in  accordance  with  the  Act  Even  if  another 
Act  authorizes  them  to  collect  health  information,  this  Act  still  governs  how  they  collect 
it  and  from  whom  they  collect  it  Affiliates  must  only  collect  health  information  in  accordance 
with  their  duties  to  the  custodian  as  the  information  they  collect  is  collected  on 
behalf  of  the  custodian. 


▲ Collect  only  essential  information 

▲ Collect  with  highest  degree  of  anonymity 
A Collect  in  a limited  manner 

A Identify  authority  to  collect  individually  identifying  information 
A Collect  directly  from  the  individual  unless  indirect  collection  is  authorized 

Remember  the  prime  directive.You  must  only  collect  as  much  health 
information  as  is  essential  to  carry  out  the  purpose  for  which  the  information 
is  being  collected.  In  addition,  the  information  collected  must  relate  directly  to 
the  purpose  of  collection.  Custodians  should  have  a policy  about  what  health  information 
they  routinely  collect  and  who  is  allowed  to  collect  it  to  ensure  they  are  not  breaching 
these  rules.  For  example,  affiliates  whose  job  it  is  to  clean  patient  rooms  should  not  be 
collecting  health  information. 
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Remember  that  health  information  can  be  individually  identifying  or  non-identifying. 
Custodians  may  collect  non-identifying  health  information  for  any  purpose. 


Necessity  and  Purpose  in  Collection 


Doctor  Ferguson  has  developed  a theory  about  the  connection  between  blood  type  and  a certain 
ailment.  He  plans  to  do  research  in  this  area  and  is  in  the  process  of  preparing  a research  proposal. 
In  anticipation  of  this,  he  routinely  asks  new  patients  for  their  blood  type  when  they  first  come  to 
see  him.  Is  this  a proper  collection  of  information? 

A The  prime  directive  requires  that  custodians  collect  only  the  amount  of  information  essential 
to  allow  them  to  carry  out  the  purpose  for  which  the  information  is  provided. 

A The  Act  also  only  authorizes  collection  of  information  that  is  directly  related  to  that  purpose, 
so  for  patients  coming  to  Dr.  Ferguson  with  a sore  throat,  blood  type  is  likely  irrelevant. 

A It  is  improper  to  routinely  collect  such  information  when  it  is  not  needed  or  directly  related  to 
providing  the  health  service  the  patient  was  seeking. 


Collection  of  Individually  Identifying  Health  Information 

Personal  health  information  that  is  individually  identifying  is  simply  information  that  will 
identify  the  person  whom  the  information  is  about.  The  Act  allows  custodians  to  collect 
such  information  for  a number  of  purposes.  The  two  most  common  reasons  are: 

1 ) for  the  purpose  of  providing  a health  service , or 

2)  determining  or  verifying  eligibility  to  receive  a health  service. 

Other  authorized  purposes  for  collection  of  individually  identifying  health  information  include: 
A conducting  investigations; 

A holding  discipline  proceedings; 

A educating  health  service  providers;  and 
A conducting  research. 

Custodians  may  also  collect  individually  identifying  health  information  if  the  collection  is 
authorized  by  an  enactment  of  Alberta  or  Canada.  For  example,  the  reporting  of  a 
communicable  disease  under  the  Public  Health  Act. 
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Collection  of  Personal  Health  Numbers 


Only  custodians  or  persons  designated  by  the  regulations  can  ask  for  someone’s  personal 
health  number.  Persons  designated  by  the  regulations  include  insurers  (for  the  purpose  of 
handling  claims),  the  Workers’  Compensation  Board,  ambulance  attendants  and  operators. 


Collecting  Directly  from  the  Individual  Concerned 


A custodian  must  collect  individually  identifying  health  information  directly  from  the  person  it  Openness 
concerns  unless  the  Act  authorizes  collection  from  a third  party.  avoids 

misunder- 

If  you  collect  information  directly  from  the  person  it  concerns  you  must  take  standings 

reasonable  steps  to  inform  the  person  of: 

▲ the  purpose  for  which  the  information  is  collected; 

▲ the  custodian’s  specific  legal  authority  for  collecting  the  information; 

▲ the  title  and  business  address  and  phone  number  of  an  affiliate  who 
can  answer  questions  about  the  collection. 

The  Act  says  this  information  should  be  given  when  collection  takes  place.  Ideally,  it 
should  take  place  before  questions  are  asked  or  forms  filled  in  so  that  the  patient  has 
time  to  think  about  what  is  being  asked  for.  If  a patient  wants  to  authorize  a custodian  to 
collect  information  from  someone  else,  or  to  express  their  wishes  about  whom  disclosures 
may  be  made  to,  such  matters  can  be  dealt  with  at  the  same  time. 

Custodians  should  be  very  clear  about  their  reasons  for  collecting  information.  If  people 
are  told  why  certain  information  is  required,  what  it  will  be  used  for  and  who  will  have 
access  to  it,  they  will  not  be  surprised  or  annoyed  by  subsequent  uses  or  disclosures  for 
those  purposes.This  is  particularly  true  as  the  Act  allows  custodians  to  share  information 
for  the  purpose  of  providing  health  services  without  the  individual’s  consent. 

Health  service  is  a broadly  defined  term.  All  the  people  who  might  provide  health  services 
may  not  be  readily  apparent  to  a patient.  It  is  unnecessary  to  provide  an  exhaustive  list, 
but  informing  patients  what  types  of  people  are  likely  to  see  their  information  may  avert 
problems  at  a later  time.  For  example,  physicians  and  nurses  are  obvious  recipients, 
whereas  students,  researchers  or  peer  reviewers  are  not  as  obvious. 

The  Act  does  not  specify  how  this  notice  of  collection  is  to  be  given  to  the  patient. 

Custodians  must  take  reasonable  steps.  Again,  what  is  reasonable  requires  the  exercise  of 
good  judgement  and  common  sense.The  use  of  brochures,  notices,  signs  and  oral  explanations 
are  some  suggested  methods.  Custodians  should  be  sure  that  signs  and  notices  are  obvious 
and  drawn  to  their  patients’  attention.  Fine  print  at  the  bottom  of  a lengthy  form  is  not 
acceptable. 
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Information 
does  not 
have  to  he 
collected 
directly  from 
patients 


Safety, 
accuracy  and 
practicality  are 
important 
considerations 
in  collection 


Collecting  from  a Third  Party 

In  certain  circumstances  the  Act  allows  custodians  to  collect  individually  identifying  health 
information  from  someone  other  than  the  person  seeking  health  services. 

Allowable  circumstances  are: 

▲ Where  the  individual  authorizes  collection  from  someone  else; 

When  a patient  authorizes  collection  from  someone  else,  the  patient  should  still  be 
informed  what  information  is  to  be  collected,  from  whom,  and  the  purposes  for 
which  it  will  be  used.While  strictly  speaking  the  Act  does  not  require  this,  it  would 
avoid  arguments  later  on  about  exactly  what  the  patient  authorized  the  custodian 
to  do.  It  may  be  advisable  to  obtain  a written  authorization. 

A Where  the  individual  is  unable  to  provide  the  information  and  the  custodian  collects 
it  from  an  authorized  representative  such  as  a parent  or  guardian  of  a person  under 
the  age  of  1 8;  or  an  agent  under  a personal  directive. 

Collecting  from  children  raises  difficult  issues.  Persons  under  the  age  of  1 8 that  are 
capable  of  making  their  own  medical  choices  must  be  allowed  to  do  so.  Custodians 
cannot  use  this  provision  to  consult  the  parents  of  a 1 6-year-old  if  the  young  adult 
is  perfectly  capable  of  providing  the  needed  information.  However,  other  provisions 
in  the  Act  might  allow  a custodian  to  consult  a third  party  such  as  a parent. 

A Where  the  custodian  believes,  on  reasonable  grounds,  that  direct  collection 
would  prejudice: 

A the  interests  of  the  individual; 

A the  purpose  of  the  collection; 

A the  safety  of  another  individual;  or  would  result  in 
A the  collection  of  inaccurate  information. 

In  certain  situations  it  is  better  for  information  to  be  gathered  from  someone  other 
than  the  patient.  Certain  questions  may  create  unwarranted  stress  for  the  patient. 

A A drug  addict  may  give  false  information  in  an  effort  to  obtain  drugs  and 
confronting  such  an  individual  may  provoke  a violent  response. 

A People  may  not  want  to  disclose  that  they  have  a medical  condition 
such  as  AIDS. 

A A person  with  mental  health  problems  may  not  be  able  to  give  accurate 
information. 

This  rule  allows  custodians  to  go  to  other  sources  to  ensure  that  accurate 
information  is  obtained  and  dangerous  situations  are  avoided. 
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COLLECTING  HEALTH  INFORMATION 


A Where  direct  collection  is  not  reasonably  practicable; 

A An  unconscious  or  confused  patient  may  not  be  able  to  give  information. 

A In  an  emergency  there  may  not  be  time  to  question  the  patient. 

A A patient  may  not  know  the  answer  to  a question  but  a third  party, 
such  as  a parent,  might. 

A Where  the  information  is  available  to  the  public; 

A Where  the  information  is  collected  to  assemble  a family/genetic  history  necessary 
for  the  provision  of  health  services,  determine/verify  eligibility,  or  inform  a Public 
Trustee  or  Public  Guardian. 

A Where  the  information  is  collected,  from  a third  party,  in  a situation  where  the  Act 
would  allow  disclosure  of  that  information  to  the  third  party.  For  example,  the  Act  allows 
a specialist  to  collect  information  from  a patients  family  practitioner  without  consent. 


A 


EXAMPLE  5 


Collecting  Information  From  a Patient's  Family 


Mary  is  a senior  citizen  who  is  an  insulin  dependant  diabetic.  Mary  lives  on  her  own  and  suffers 
from  short  term  memory  loss  as  a result  of  a recent  stroke.  Mary  has  been  receiving  routine  care 
from  her  family  physician,  Dr.  Brown.  The  doctor  has  noted  that  Mary's  blood  sugars  are  not 
controlled  and  her  foot  care  regime  has  diminished  since  the  stroke.  Dr.  Brown  suspects  that  Mary 
is  forgetting  to  take  her  insulin  and  perform  her  routine  blood  sugar  testing.  Can  Dr.  Brown  contact 
Mary’s  family  about  his  suspicions? 


A Mary  could  be  asked  to  authorize  collection  of  her  health  information  from  someone  else. 

A Dr.  Brown  could  collect  information  from  someone  else  on  the  basis  that  it  was  not 

practicable  to  obtain  the  information  from  Mary,  as  she  believes  that  she  has  been  diligently 
following  her  routine  care  schedule. 

A Mary  may  be  forgetting  to  check  her  blood  sugars  and  adjusting  her  insulin  injections 
accordingly.  Dr.  Brown  could  collect  information  from  someone  else  on  the  basis  that 
collecting  from  Mary  may  result  in  the  collection  of  inaccurate  information. 


Information  collected  from  a third  party  may  not  be  as  accurate  or  reliable  as  that  collected 
directly  from  the  individual  it  concerns.  Remember  that  you  have  a duty  to  take  reasonable  steps 
to  ensure  the  information  is  accurate  and  complete.  It  may  be  appropriate  to  verify  such 
information  with  the  patient  at  a later  time  if  that  is  possible  and  justifiable. 


Confidentiality  of  information  collected  from  a third  party  cannot  necessarily  be  guaranteed. 
However,  custodians  have  the  authority  to  maintain  the  confidentiality  of  third  party  information 
that  was  supplied  in  confidence.  For  example,  a custodian  may  refuse  to  release  information  that 
would  lead  to  the  identification  of  the  third  party  where  the  information  was  supplied  in  confidence. 
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Unsolicited  Information  as  Collection 


Collect  also  means  to  receive  health  information.  Health  information  volunteered  by  someone 
such  as  a family  member  or  friend  is  information  collected  by  the  custodian,  even  though 
the  custodian  did  not  actively  solicit  it.The  Act  does  not  regulate  the  receipt  of  unsolicited 
information  but  it  does  address  the  confidentiality  of  non-recorded  information. 


Collecting 
also  means 
receiving 


It  would  be  good  practice  to  note  the  source  of  such  information  when  it  is  received, 
particularly  if  it  will  be  used  as  a basis  for  treatment.  Remember  that  custodians  must 
make  a reasonable  effort  to  ensure  that  information  is  accurate  and  complete  before 
they  use  or  disclose  it. 


EXAMPLE  6 


Receiving  Unsolicited  Information 


During  a consultation,  Dr.  Jones'  patient,  John,  tells  her  that  he  believes  his  neighbour,  Sue,  beats 
her  children.  John  says  he  regularly  sees  the  children  with  extensive  bruising  to  their  faces. 

Sue  and  her  children  are  also  patients  of  Dr.  Jones. 

Is  this  unsolicited  information  a collection  under  the  Health  Information  Act? 

A Yes,  if  the  information  is  recorded.  Although  the  information  was  volunteered  and  not 
requested  by  Dr.  Jones,  it  still  qualifies  as  a collection  as  defined  by  the  Act. 


Collection  using  a Recording  Device  or  Camera 

If  you  collect  health  information  from  an  individual  by  using  a recording  device,  camera  or 
any  other  device  that  may  not  be  obvious  to  the  individual,  you  must  obtain  the 
individuals  written  consent  before  collecting  the  information.  For  instance,  if  a video 
or  audio  recording  is  being  used  to  collect  health  information,  has  the  patients  attention 
been  drawn  to  it  and  consent  obtained? 


PROTECTING  HEALTH  INFORMATION 


Protecting  health 
information 

General 


Both  the  Act  and  the  regulations  require  custodians  to  protect  health  information  in  their 
custody  or  under  their  control.  Information  that  is  to  be  stored  or  used  outside  of 
Alberta  or  disclosed  to  a person  outside  of  Alberta  must  also  be  protected. This  means 
that  you  must  protect  information,  not 
only  while  it  is  in  your  hands,  but  when 
you  put  it  in  the  hands  of  other  people. 


These  safeguards  are  meant  to: 


Custodians  must  take  reasonable 
steps  to  maintain  administrative, 
technical  and  physical  safeguards 
to  protea  health  information.  Reasonable 
steps  are  those  that  a careful  custodian 
would  take. 


▲ 


protea  both  the  confidentiality 
of  the  information  and  the 
privacy  of  the  individuals 

who  are  the  subjects  of  that 
information.  For  example,  files  should  not  be  left  unattended  in  an  area  to  which 
the  public  has  access.  Nor  should  people  picking  up  prescriptions  be  put  in  the 
awkward  position  of  having  to  discuss  their  medications  in  front  of  others. 


Reasonable 
steps  must 
be  taken 


▲ protect  against  reasonably  anticipated  threats  or  hazards  to  the  security  or 
integrity  of  health  ihformation  or  the  loss,  unauthorized  access,  use,  disclosure  or 
modification  of  health  information. 


▲ ensure  custodians  and  affiliates  comply  with  the  Act. 

You  Must  do  the  Following: 

A Custodians  must  identify  and  record  their  administrative,  technical  and  physical 
safeguards  for  health  information. 

A Implement  and  periodically  assess  these  health  information  security  safeguards. 

A Custodians  must  designate  an  affiliate  who  is  responsible  for  the  overall  security 
and  protection  of  health  information  in  its  possession  or  under  its  control. 

A Custodians  must  enter  into  agreements  with  persons/groups  to  maintain  the 
confidentiality  and  privacy  of  health  information  that  is  to  be  used  or  stored 
outside  of  the  province. 


Custodians 

have 

obligations. 
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A The  regulations  contain  specific  requirements  regarding  the  contents  of  such 
an  agreement  so  that  the  custodian  can  ensure  the  person  receiving  the 
health  information  properly  protects  itThis  is  necessary  because  the  Act 
cannot  be  enforced  against  people  located  outside  of  the  province.  However, 
an  agreement  to  protect  health  information  given  to  them  is  a contract  that 
can  be  enforced  wherever  they  are  located. 


A An  agreement  is  not  necessary  if  the  information  is  for  continuing  care  and 
treatment.  For  example,  if  a patient  moves  to  another  province  and  asks  for 
their  health  information  to  be  transferred  from  one  family  physician  to 
another,  this  may  be  done  without  an  agreement. 


A Custodians  have  to  ensure  that  their  affiliates  know  what  the  safeguards  are  and 
that  they  implement  them.There  is  not  much  point  in  putting  information  in 
secure  filing  cabinets  if  affiliates  constantly  forget  to  lock  them. 

A Custodians  must  create  sanctions  for  affiliates  who  breach  or  attempt  to  breach 
the  safeguards  created  for  health  information.This  is  not  meant  to  frighten  people, 
but  to  impress  upon  affiliates  the  importance  of  preserving  privacy  and  confidentiality. 
For  example,  employees  may  be  required  to  sign  an  oath  of  confidentiality  and  if 
found  in  violation  of  the  oath,  they  would  be  subject  to  disciplinary  action  or  dismissal. 

Physical  Safeguards 


A Keep  white  boards  containing  patient  information  away  from  public  areas; 
A Physically  secure  the  areas  in  which  health  information  is  stored; 

A Lock  filing  cabinets  and  unattended  storage  areas; 

A Restrict  access  to  storage  areas  to  authorized  personnel; 

A Position  computer  terminals  and  fax  machines  so  they  cannot  be  seen  or 
accessed  by  unauthorized  users. 

Technical  safeguards 


A Use  screensavers  and  security  screens  so  visitors  cannot  view  terminals; 

A Install  virus  scanners  and  firewalls; 

A Use  passwords  to  restrict  computer  access  and  change  them  frequently; 

A Implement  document-tracking  systems  so  that  you  know  when  a document  is 
removed,  who  has  it  and  when  it  was  returned; 

A Ensure  that  any  computer  access  leaves  a footprint  that  can  be  followed  to 
assure  document  integrity; 

A Utilize  encryption  for  storage  and  transmission; 

A Encrypt  sensitive  e-mails. 
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Administrative  Safeguards 


A Train  staff  so  they  know  what  your  policies  are,  the  importance  of  following 
those  policies  and  the  results  that  might  follow  a breach  (someone  could  be 
fined,  disciplined  or  fired); 

A Consider  implementation  of  security  checks  to  screen  key  employee  positions; 

A Have  employees  take  an  oath  of  confidentiality; 

A Control  the  types  of  information  that  may  be  sent  by  fax  or  e-mail; 

A Use  preprogrammed  addresses  and  phone  numbers  on  faxes  and  e-mails  that 
are  regularly  sent  to  certain  places.This  minimizes  keystroke  errors  that  might 
result  in  information  being  misdirected. 

A Regularly  confirm  that  such  addresses  and  phone  numbers  have  not  changed; 


Staff  training 
enhances 
respect  for 
patient 
information 


EXAMPLE  7 


Security  Measures 


Jill  is  a receptionist  for  a plastic  surgeon  who  has  numerous  well-known  people  for  patients. 

Jill  has  a budding  relationship  with  a courier  who  comes  daily  into  the  office.  As  they  chat  the 
courier  can  see  Jill's  computer  screen  and  over  a period  of  time  he  acquires  a list  of  patients  that 
are  treated  by  the  surgeon.  Sometimes  he  sees  reports  about  treatment  procedures  that  Jill  is 
typing.  He  sells  this  information  to  a local  reporter. 


A Jill's  computer  screen  should  not  be  visible  to  visitors,  nor  should  paper  copies  of  sensitive 
information  be  left  where  others  can  see  them. 


Restrict  Access  by  Staff 


Remember  that  affiliates  must  only  collect,  use  and  disclose  health  information  in  accordance 
with  their  duties  to  the  custodian.This  concept  is  easier  explained  as  the  “need  to  know” 
principle.  Custodians  that  employ  many  people  will  likely  have  numerous  affiliates  who 
have  no  need  to  have  any  access  whatsoever  to  health  information.  Some  affiliates  will  only 
need  access  to  certain  information. 

Diagnostic,  treatment  and  care  information  needs  to  be  seen  by  very  few  people. 

For  instance, 

A Finance  personnel  handling  purchase  orders,  accounts  payable  and  receivable  likely 
do  not  need  to  see  such  information. 

A Doctors  and  nurses  only  need  to  see  files  of  people  with  whom  they  are 
directly  involved. 
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EXAMPLE  8 


Need  to  Know 


A patient  with  a history  of  drug  abuse  is  admitted  for  an  emergency  appendectomy.  A file  is 
obtained  from  her  doctor  that  contains  a detailed  history  of  her  treatments  over  the  past  few  years. 
During  night  shift  a nurse,  not  involved  in  her  care,  browses  through  the  file.  Is  this  wrong? 

▲ Access  to  such  files  should  be  restricted  to  persons  treating  the  patient.  Custodians  should 
have  a clear  policy  about  this  and  staff  should  be  trained  accordingly. 

A Custodians  must  create  sanctions  to  encourage  affiliates  to  follow  the  rules. 


EXAMPLE  9 


Need  to  Know 


The  Great  Big  Hospital  has  a unit  that  handles  both  orthopedic  and  neurology  patients.  The  patient 
charts  are  hung  on  hooks  in  a central  location  so  staff  can  access  them  without  having  to  walk 
around  the  whole  room.  The  charts  have  cover  sheets  that  say  "Confidential"  in  bold  letters. 

Does  this  sufficiently  protect  the  information? 

A Convenience  for  staff  must  not  take  precedence  over  protection  of  privacy  and  confidentiality. 
Charts  that  are  easily  accessible  to  staff  are  also  easily  available  to  others,  including  visitors. 

A Visitors  should  not  be  looking  at  anyone's  chart,  unless  authorized.  This  arrangement  makes  it 
possible  for  them  to  view  the  chart  of  anyone  in  the  room. 


Disposal  of  Records 


The  safeguards  that  are  created  to  protect 
health  information  must  also  include 
appropriate  measures  for  the  proper 
disposal  of  that  information.  Files  should 
not  be  left  behind  when  you  move  or 
tossed  in  a garbage  bin  accessible  to 
anyone  who  wanders  by.  Computers  need 
to  have  health  information  erased  before 
being  sold  at  auction.  Appropriate  methods 
for  disposal  of  health  information  include 
burning  or  shredding. 
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Using  health 
information 


General 


Use  as  defined  in  the  Act  allows  health  information  to  be  reproduced  as  it  is  being  used, 
but  not  disclosed.  Disclosure  and  use  are  two  distinct  things.  Disclosure  is  discussed  later 
in  this  guide.  If  one  custodian  provides  health  information  to  someone  outside  his  or  her 
organization,  that  is  a disclosure  of  the  information. 


Use  of 


information 
is  restricted 
to  prescribed 
purposes 


Custodians  may  only  use  health  information  in  accordance  with  the  Act.  Custodians 
cannot  use  information  for  marketing  purposes  or  for  soliciting  donations. 

Affiliates  may  only  use  health  information  in  accordance  with  their  duties  to  the 
custodian.  Remember  the  “need  to  know”  principle.  An  affiliate  who  is 


responsible  for  a patient’s  care  should  not  be  giving  information  about  that  patient  to 


another  affiliate  who  is  not  involved  in  the  care  of  that  patient. 

As  with  collection,  there  are  limits  to  using  individually  identifying  health  information. 

Remember  the  prime  directive.  You  must  use  only  the  amount  of  health  information 
essential  to  carry  out  the  authorized  purposes  for  which  the  information  was  provided 
and  at  the  highest  level  of  anonymity. 

Use  of  Health  Information 


Use  implies  access  and  sharing  of  information  among  custodians  and  affiliates. 

The  Act  allows  custodians  to  use  individually  identifying  health  information  for  a number  of 
authorized  purposes.  It  also  means  that  affiliates  of  a custodian  may  access  health 
information  required  to  perform  duties  related  to  any  of  the  authorized  uses. 

Affiliates  are  allowed  to  share  information  without  an  individual’s  consent. 

The  two  most  common  uses  are: 

▲ for  providing  a health  service;  or 

A determining  or  verifying  a person’s  eligibility  to  receive  a health  service. 

Other  uses  include: 

A conducting  investigations; 

A discipline  proceedings,  practice  reviews  and  inspections; 

A conducting  research  (research  proposals  must  undergo  an  ethics  review); 

A educating  health  services  providers;  and 
A managing  internal  operations. 
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The  Minister  and  Department  of  Alberta  Health  and  Wellness,  RHAs  and  provincial 
health  boards  have  four  additional  uses  under  HIA.  Their  uses  are  to: 

▲ plan  & allocate  regional  resources; 

▲ manage  the  health  system; 

A conduct  public  health  surveillance;  and 
A develop  health  policies  and  programs. 


Remember,  persons  authorized  to  collect  personal  health  number  (PHN),  other  than 
custodians,  may  only  use  PHN  for  the  purpose  for  which  it  was  provided. 


Accuracy  and  Completeness 


Custodians  must  take  reasonable  steps  to  ensure  that  information  is  accurate  and 
complete  before  they  use  it.There  is  no  magic  in  this  requirement.  In  most  instances, 
reasonable  would  include  assessing  whether  the  information  is: 

A accurate; 

A up  to  date; 

A complete; 

A relevant;  and 
A not  misleading. 


Reasonableness  may  depend  upon  the  circumstances.You  should  be  very  careful  if  you 
collected  the  information  from  a third  party  or  if  the  patient  gives  you  the  information 
directly,  but  seems  confused  or  unsure.  In  an  emergency  situation  you  may  not  have  time  to 
check  the  information  as  carefully  as  you  might  like,  but  accuracy  should  be  confirmed  later. 


What  is  reasonable  may  also  depend  on  what  the  information  is  to  be  used  for  and  its 
impact  on  the  patient.  Knowing  someone’s  date  of  birth  is  obviously  less  important  than 
knowing  whether  they  have  an  allergy  to  an  anaesthetic  when  they  arrive  unconscious 
and  require  emergency  surgery.  The  Act  does  not  change  existing  practice.  Custodians 
should  already  be  well  aware  what  constitutes  a reasonable  effort. 


DISCLOSING  HEALTH  INFORMATION  TO  THIRD  PARTIES 


Disclosing  health 
information  to  third 
parties 

General 


The  word  "disclose”  is  not  defined  in  the  Act.  Remember,  however,  that  the  use  of  Custodians 

health  information  does  not  include  the  disclosure  of  health  information.  Use  and  may  need  to 

disclosure  are  distinct  concepts.  Essentially,  disclosure  occurs  when  a custodian  provides  disclose 

health  information  to  another  custodian  within  the  controlled  arena  or  to  other 
entities  outside  the  controlled  arena. 

Remember  that  the  Act  applies  to  the  disclosure  of  all  health  information,  whether  it 
was  collected  before  or  after  the  Act  came  into  force. 


Disclosure  must  also  be  distinguished  from  access.  A request  for  access  to  health 
information  means  a request  by  an  individual  who  wants  to  see  their  own  health  records. 
The  Act  sets  out  a procedure  for  making  such  requests.  Generally  other  parties  have  no 
right  to  make  such  a request.  Access  is  discussed  in  a subsequent  section  of  this  guide. 


There  are  three  circumstances  in  which  custodians  may  need  to  disclose  health  information. 
They  may: 

- have  to  disclose; 

- want  to  disclose;  or 

- have  been  requested  to  disclose. 

In  some  cases  custodians  have  no  choice  but  to  disclose  information  because  the  law 
requires  them  to  disclose  it.  In  other  cases  they  may  need  or  want  to  disclose  information, 
even  against  the  patients  wishes  or  without  the  patient’s  permission,  so  they  can  protect 
others  or  do  what  is  best  for  the  patient. 

Generally,  an  individual’s  consent  is  required  before  health  information  is  disclosed. 
Remember  that  custodians  are  responsible  for  their  affiliates.  Custodians  must  only 
disclose  information  when  the  Act  allows  them  to  in  the  manner  set  out  in  the  Act. 
Affiliates  must  only  disclose  information  in  accordance  with  their  duties  to  their 
custodians.  Affiliates  should  not  be  disclosing  information  to  other  parties  without 
authorization. 


Remember  that  there  are  three  types  of  health  information.  This  guide  focuses  on 
diagnostic,  treatment  and  care  information,  as  that  is  the  type  of  health  information  most 
people  are  concerned  about.  However,  the  Act  also  governs  the  disclosure  of  health 
service  provider  information  and  registration  information.  Remember  also  that  infor- 
mation can  be  identifying  or  non-identifying.  It  is  the  disclosure  of  individually  identifying 
information  that  is  restricted  by  the  Act. 
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Obtaining 

consent 

avoids 

problems 


Consent  to  Disclosure 


The  general  rule  is  that  custodians  may  disclose  individually  identifying  health  information 
to  the  person  who  is  the  subject  of  the  information  or  to  persons  acting  on  that 
subject’s  behalf.  The  latter  group  was  discussed  in  the  section  on  collecting  health  information 
and  includes  people  listed  as  guardians  (such  as  parents)  and  personal  representatives. 
Disclosure  to  other  parties  is  made  only  in  the  specific  circumstances  set  out  in  the  Act. 

Particular  care  must  be  taken  when  dealing  with  persons  under  the  age  of  1 8 
years.  If  a person  under  the  age  of  18  understands  the  nature  of  the  rights  and  powers  set 
up  by  the  Act  and  the  consequences  of  exercising  those  rights  and  powers,  custodians 
must  treat  that  person  as  they  would  treat  any  other  competent  person. 

If  a person  does  not  have  the  mental  capacity  to  consent  to  disclosure,  custodians  may 
disclose  information  about  that  person  without  consent  if  it  is  in  that  person  s best  interest. 

Of  course,  even  where  the  Act  does  not  specifically  provide  for  disclosure  to  a third  party, 
custodians  may  disclose  information  to  a third  party  if  the  patient  consents  to  that 
disclosure.The  Act  is  very  specific  about  the  form  of  the  consent. 

The  consent  must  be  given  electronically  or  in  writing.  A consent  authorizing  a 
custodian  to  disclose  information  must  specify  or  contain: 

A the  information  to  be  disclosed; 

A the  purpose  for  which  the  information  is  to  be  used; 

A the  identification  of  the  person  receiving  the  information; 

A an  acknowledgement  that  the  person  providing  the  consent  is  aware  of  the 
reasons  why  the  information  is  needed  and  the  risks  and  benefits  of  either 
consenting  or  refusing  to  consent; 

A the  effective  date  of  the  consent  and  the  expiry  date  (if  any);  and 
A a statement  advising  the  person  that  they  may  revoke  the  consent  at  any  time. 

Any  disclosure  that  takes  place  must  be  in  accordance  with  the  consent  given. 

If  individually  identifying  diagnostic,  treatment  and  care  information  is  to  be  disclosed  by  electronic 
means,  another  separate  consent  is  required.  Electronic  means  is  defined  in  the  regulations 
and  refers  to  electronic  or  digital  information  stored  in  a networked  database  by  the  custodian, 
which  is  accessible  by  other  authorized  users.  It  does  not  refer  to  the  method  of  transmission, 
for  example  by  fax,  internet  or  intranet.  This  type  of  consent  is  not  required  if  the 
disclosure  by  electronic  means  is  for  obtaining  or  processing  payment  for  health  services. 


Openness  in  collection  procedures  avoids 
disclosure  problems  later 


Judy  is  being  discharged  from  a psychiatric  facility  back  to  her  group  home.  The  psychiatric  facility 
wishes  to  inform  the  group  home  leader  of  Judy's  release  and  discharge  plan.  Is  this  disclosure 
allowed  by  the  Act? 

A Custodians  must  inform  individuals,  at  the  time  of  collection,  of  the  purposes  for  which  the 
information  is  collected  and  should  obtain  consent  upon  admission  for  identified  disclosure 
purposes. 

A In  this  example,  if  it  is  determined  that  the  group  home  leader  is  a continuing  care  provider, 
then  disclosure  would  be  allowed  without  consent. 
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Duties  and  Discretion  of  Custodians 


Custodians  do  not  have  to  disclose  health  information  except  in  a very  few  cases. 
Most  of  the  rules  in  the  Act  say  that  a custodian  may  disclose  information  in  certain 
situations.This  means  the  custodian  has  the  discretion  to  refuse  disclosure,  even  to  a 
person  asking  for  their  own  health  information.Therefore,  professional  codes  of  ethics 
still  apply.  Even  if  the  Act  allows  disclosure,  you  should  not  disclose  information  if  your 
code  of  ethics  forbids  disclosure. 

Custodians  must  be  sure  the  disclosure  is  made  to  the  correct  party.  The  Act  requires 
that  custodians  make  a reasonable  effort  to  ensure  that  disclosure  is  made  to  the  person 
authorized  and  intended  to  receive  the  information.  Safeguards  were  discussed  earlier  in 
this  guide  in  the  section  on  protecting  health  information.  For  example,  if  you  are  sending 
information  to  Dr.  Anderson  and  there  are  four  Dr.Andersons,you  have  a duty  to  ensure 
the  correct  doctor  receives  the  information  or  that  lab  results  are  not  faxed  to  the 
wrong  person. 

How  Much  to  Disclose 


Remember  the  prime  directive.  Custodians  must  only  disclose  information  that  is 
essential  to  allow  the  custodian  or  recipient  to  carry  out  the  purpose  for  which  the 
information  is  being  disclosed.When  a patient  consents  to  provide  health  information  in 
support  of  a back  claim  to  WCB,  it  would  be  inappropriate  to  send  the  WCB  specialist 
the  patient’s  complete  medical  chart  going  back  twenty  years,  especially  if  the  information 
is  not  all  related  to  the  back  problem. 

Any  expressed  wishes  by  the  person  must  be  respected.  Custodians  must  consider 
those  wishes,  and  any  other  relevant  factors,  when  they  decide  how  much  health 
information  to  disclose. 

You  Have  to  Disclose  Certain  Information 


The  Act  itself  does  not  require  disclosure,  but  it  allows  disclosure  so  that  custodians  can 
comply  with  other  legislation  or  court  orders  that  do  require  disclosure.Two  examples  are: 

▲ The  Public  Health  Act  requires  disclosure  about  people  who  have  or 
may  have  a notifiable  infectious  disease. 

▲ The  Cancer  Programs  Act  requires  disclosure  of  “reportable  cancers”. 

In  court  cases  involving  insurance  claims  or  personal  injury  claims,  the  parties  to  the  action 
may  have  to  disclose  medical  information.  In  most  cases  this  is  done  by  consent.  However, 
the  court  will  issue  an  order  or  subpoena  to  compel  disclosure  if  that  is  necessary. 

The  Act  allows  custodians  to  comply  with  such  orders. 

Remember  that  you  still  need  to  be  careful  about  what  information  you  disclose. 

The  duty  to  disclose  only  the  information  that  is  essential  for  the  purpose  for  which  it 
is  being  disclosed  may  still  govern  where  a court  order  is  not  very  specific  about 
precisely  what  is  to  be  disclosed. 


You  rarely  have 
to  disclose 


Disclose  only 

essential 

information 
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The  Act  recognizes  the  fact  that  disclosure  without  consent  may  be  necessary  in  a 
number  of  cases.This  guide  covers  only  disclosures  that  are  likely  to  occur  regularly. 
Usually  these  are  cases  that  contribute  to  the  efficient  running  of  the  health  care  system 
or  cases  where  other  interests  that  will  be  protected  by  disclosure  are  more  important 
than  the  patient’s  privacy  interest. 


Parents  don't 
have  an 
automatic 
right  to 
children's 
records 


It  is  important  to  note  that  the  Act  makes  no  specific  provision  for  the 
disclosure  of  information  to  the  parents  of  children  or  to  responding  to  media 
requests  for  information.  Disclosure  is  only  allowed,  even  to  parents,  if  one  of  the 
following  grounds  for  disclosure  exists  or  if  the  child  is  too  young  to  understand  the 
nature  of  the  rights  and  powers  created  by  the  Act  and  the  consequences  of  exercising 
those  rights  and  powers. 


Disclosure  to  other  Custodians 


Diagnostic,  treatment  and  care  information  is  regularly  shared  between  custodians. 

The  health  care  system  would  grind  to  a halt  if  consent  were  required  for  each 
disclosure.  Doctors  consult  with  each  other,  specimens  are  sent  to  labs,  patients  are 
referred  for  physiotherapy  and  prescriptions  are  filled.  Patients  know  this  and  do  not 
expect  to  be  asked  for  permission  each  time  something  is  done  for  them.  A custodian 
may  disclose  information,  without  consent,  to  another  custodian  for  the  purpose  of 
providing  a health  service  to  a patient. 


Disclosure  to  Continuing  Care  Providers 


The  Act  allows  disclosure  of  health  information  to  persons  responsible  for  providing 
continuing  treatment  and  care  to  an  individual.  However,  it  does  not  define  “continuing 
care  provider”  because  the  range  of  people  who  provide  such  services  is  very  broad. 
Terminally  ill  or  ageing  patients  are  often  cared  for  at  home  by  family  or  by  others  who 
are  not  custodians.  Parents  care  for  younger  children.These  people  often  have  to  give 
medicine  to  the  patient  and  often  are  the  source  for  collecting  information  about  the 
patient’s  condition.  Custodians  may  disclose  information  without  consent  to  such  people 
so  that  they  may  provide  care  to  the  patient.  One  example  would  be  the  provision  of 
a prescription  to  a third  party  who  is  caring  for  the  individual. 


EXAMPLE  11 


Request  by  Caregivers 


Thomas  is  a 78  year  old  man  with  severe  emphysema.  He  is  to  be  discharged  after  a stay  in 
hospital.  His  wife,  Laura,  plans  to  look  after  him  in  their  home.  She  has  asked  their  family  physician 
for  information  on  Thomas'  day  to  day  needs.  Can  the  doctor  provide  information  to  Laura? 

A Laura  is  Thomas'  caregiver,  so  her  request  can  be  answered  and  the  Act  provides  for  disclosure 
of  such  information. 

A Unless  the  doctor  is  aware  that  Thomas  does  not  want  the  information  disclosed,  there  is  no 
reason  to  withhold  information  from  Laura. 
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EXAMPLE  12 


Disclosure  of  a child's 
counselling  notes  to  parents 


A 12-year-old  boy  is  receiving  counselling  for  behavioural  problems  that  include  some  violent 
episodes.  The  episodes  may  be  related  to  abuse.  He  only  agreed  to  go  to  counselling  if  the 
sessions  were  kept  confidential.  He  lives  with  his  mother,  who  has  sole  custody,  and  two  younger 
siblings.  Although  his  father  has  visitation  rights  every  second  weekend,  he  exercises  it  infrequently. 
The  mother  wants  the  counsellor  to  disclose  information  about  the  boy's  progress  and  statements 
made  during  the  counselling  sessions.  Can  the  counsellor  disclose  information  to  the  mother? 


A Parents  do  not  have  an  automatic  right  to  information  about  their  child.  If  the  boy  is 
competent  to  exercise  his  rights  under  the  Act,  he  must  be  allowed  to  exercise  them. 

A It  is  possible  that  disclosure  could  be  made  to  the  mother  as  a continuing  caregiver  if  that 
would  help  her  care  for  her  son. 

A Remember  that  disclosure  may  be  made  to  any  person  if  the  subject  of  the  information  lacks 
the  mental  capacity  to  consent  and  disclosure  would  be  in  their  best  interest.  It  is  arguable 
whether  a 12  year  old  lacks  the  capacity  to  consent. 

A if  the  boy  could  be  a danger  to  his  younger  siblings,  disclosure  should  be  made  to  the  mother 
for  the  purpose  of  protecting  the  siblings  (this  ground  for  disclosure  is  discussed  further  on  in 
this  section). 

A Disclosure  in  general  terms  is  allowed  to  family  members  (and  is  discussed  further  on  in  this 
section),  but  only  if  the  patient  has  not  expressly  requested  that  it  not  be  made.  As  the  boy 
only  went  to  counselling  on  the  basis  that  the  sessions  be  confidential,  even  limited 
disclosure  to  the  father  would  not  be  allowed. 

A Suspected  abuse  must  be  reported  as  per  Section  3 of  the  Child  Welfare  Act. 


Disclosure  Due  to  Family/Close  Personal  Relationship 


Disclosure  can  be  made  in  such  cases  as  long  as  the  patient  has  not  expressly  requested 
that  disclosure  not  be  made. 

The  information  that  may  be  disclosed  must  be  in  general  terms  and  concern  the 

presence,  location,  condition,  diagnosis,  prognosis  and  progress  of  the  patient 
on  the  day  on  which  the  information  is  disclosed. 

Disclosure  can  also  be  made  so  that  family  members  or  a person  who  has  a close 
personal  relationship  can  be  contacted  to  advise  that  the  patient  is  injured,  ill  or  deceased. 

Whether  a person  who  is  not  a family  member  has  a close  personal  relationship  to  the 
patient  is  a judgement  call.  Disclosure  to  friends  is  generally  not  made,  but  if  two  people 
live  together  or  a patient  has  no  family,  disclosure  to  a close  friend  may  be  appropriate. 

The  Act  also  allows  a restricted  disclosure  to  a deceased  individual’s  descendant  if  the 
disclosure  is  necessary  for  providing  a health  service  to  the  descendant. 
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Sometimes  custodians  are  parties  (e.g.  plaintiffs  or  defendants)  in  court  or  administrative 
proceedings.  Custodians  may  disclose  health  information  for  the  purpose  of  bringing  or 
defending  such  actions. 


Sometimes  custodians  are  not  parties  to  the  action  at  all,  but  have  information  in  their 
possession  that  is  needed  by  the  parties  or  the  court  to  help  decide  the  case.  Often  the 
parties  to  the  case  exchange  information  willingly,  but  sometimes  they  do  not  and  the  court 
will  issue  an  order  or  subpoena  to  require  the  disclosure  of  relevant  health  information. 


Custodians  must  comply  with  such  orders,  but  they  should  be  careful  to  disclose  only  the 
information  they  are  required  to  disclose.  Usually  the  order  will  be  quite  specific,  but 
remember  the  prime  directive.  If  you  are  not  clearly  required  to  disclose  certain 
information  you  should  not  disclose  it. 

Disclosure  to  Prevent  Fraud,  Abuse  of  the  System  or  Offences 


Disclosure 
is  allowed 
to  prevent 
fraud  and 
abuse 


Custodians  who  have  a reasonable  expectation  that  disclosure  will  detea  or  prevent  fraud, 
limit  abuse  of  health  services  or  prevent  an  offence  may  disclose  information  to  another  custodian. 

This  part  of  the  Act  allows  custodians  to  share  information  for  purposes  other  than  providing 
health  services.This  section  does  not  allow  you  to  disclose  information  to  the  police, 
as  they  are  not  custodians. 
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Disclosure  to  prevent  abuse 


Susan  is  a pharmacist  who  works  at  a number  of  stores.  A customer  arrives  to  pick  up  a prescription 
for  a medicine  that  contains  codeine.  Susan  recognizes  the  customer  from  her  shifts  at  the  other  stores 
and  notes  that  the  prescription  is  suspicious.  Susan  has  good  reason  to  suspect  that  the  customer  is 
forging  prescriptions  for  the  purpose  of  obtaining  the  narcotic  codeine.  This  is  an  offence  under  the 
Controlled  Drugs  and  Substances  Act.  What  can  Susan  do  in  this  situation? 

A This  section  of  the  Act  allows  Susan  to  disclose  the  fact,  to  other  custodians,  that  other  prescriptions 
have  been  issued.  She  would  also  follow  the  procedures  for  the  Triplicate  prescription  program 
and  she  may  notify  other  pharmacists  about  the  suspected  abuse.  Susan  may  also  volunteer  to 
coordinate  the  dissemination  of  this  information  to  regional  pharmacists. 
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Disclosure  to  prevent  fraud 


John's  ten-year-old  niece  is  visiting  from  California  for  the  weekend.  She  becomes  ill  and  John  takes  her 
to  a medicentre,  as  he  suspects  sne  has  an  ear  infection.  As  she  has  no  health  insurance,  John  pretends 
she  is  his  own  daughter  and  gives  his  daughter's  health  care  number  to  the  nurse.  The  nurse  registers  the 
patient  including  the  name  of  their  family  physician.  Unknown  to  John,  is  the  fact  that  the  nurse  has 
seen  John's  daughter  and  is  certain  that  the  niece  is  not  the  daughter  or  a sibling.  What  can  the  nurse 
do  in  this  situation  of  suspected  fraud? 


The  nurse,  as  an  affiliate  at  the  medicentre,  may  phone  the  family  physician  and  disclose  information 
to  him  to  try  and  ascertain  if  the  patient  is  John's  daughter.  The  physician  can  review  John's  daughter's 
health  record  for  the  purpose  of  preventing  fraud  or  abuse  of  tne  health  system.  The  doctor  can 
also  provide  information  back  to  the  nurse  to  help  her  distinguish  the  daughter  from  the  niece. 


Disclosure  to  Police 


Disclosure  may  be  made  to  the  police  for  the  purpose  of  investigating  an  offence  Disclosure  to 

involving  a life-threatening  personal  injury  to  a patientThis  may  only  be  done  if  it  is  police  is  limited 

not  against  the  express  wishes  of  that  person.  Note  that  disclosure  may  also  be  made  to  the 
police  for  the  purpose  of  avoiding  an  imminent  danger  to  the  health  or  safety  of  any  person. 


EXAMPLE  15 


Disclosure  to  police 


Carol  is  brought  to  the  hospital  by  ambulance.  She  is  unconscious,  her  face  is  badly  bruised  and  she 
may  have  a broken  neck.  The  police  were  in  attendance  at  the  home  due  to  a 91 1 call  and  now 
arrive  at  the  hospital  asking  the  doctor's  opinion  about  how  the  injuries  may  have  occurred. 

They  know  the  attendants  found  Carol  at  the  bottom  of  a long  flight  of  stairs  and  that  her  husband 
was  present  and  appeared  to  be  extremely  angry  and  agitated.  The  husband  claimed  that  Carol  had 
fallen  down  the  stairs,  but  the  police  suspect  she  was  beaten  and  then  pushed  down  the  stairs. 

May  the  doctor  give  his  opinion  to  the  police? 


The  doctor  may  disclose  the  nature  of  Carol's  injuries  if  the  injuries  are  determined  as 
life-threatening  and  Carol  has  not  expressly  requested  that  disclosure  not  be  made. 
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Disclosure  to  Preserve  Health/Safety 

A custodian  may  disclose  information  to  any  person  if  he  or  she  believes,  on  reasonable 
grounds,  that  the  disclosure  will  avert  or  minimize  an  imminent  danger  to  the  health 
or  safety  of  any  person. 


This  is  a difficult  section  due  to  the  presence  of  the  word  “imminent”.  It  is  not  a defined  term 
in  the  Act.  It  can  mean  that  a danger  is  hanging  over  a persons  head  and  is  likely  to 
happen  very  soon. 


Disclosure 
is  allowed 
to  preserve 
health  and 
safety 


EXAMPLE  16 


Disclosure  to  lessen  a serious  and 
imminent  threat 


A doctor  has  a patient  who  is  employed  as  a bus  driver.  The  patient  has  been  experiencing  bouts  of 
forgetfulness  and  confusion.  The  doctor  feels  the  patient  may  be  experiencing  early  symptoms  of 
Alzheimer's  Disease.  He  feels  the  patient  should  not  be  driving,  but  the  patient  refuses  to  stop. 
What  can  the  doctor  do? 

▲ The  doctor  must  make  a judgment  call  as  to  whether  the  danger  to  passengers,  other  drivers, 
pedestrians  and  even  the  patient  is  imminent.  If  it  is,  the  doctor  may  inform  any  person  if  the 
custodian  believes  that  will  avert  or  minimize  the  danger.  This  could  include  disclosure  to  the 
patient's  employer,  the  police  and  the  motor  vehicle  licensing  branch. 


EXAMPLE  17 


Disclosure  to  avert  or  minimize  imminent 
danger  to  the  health  or  safety  of  any  person 


The  police  are  investigating  a series  of  sexual  offences  believed  to  have  been  committed  by  a serial 
rapist.  The  rapist  has  expressed  his  desire  to  rape  a particular  individual.  The  police  have  written  to 
every  doctor  in  the  city  disclosing  information  about  injuries  the  man  likely  received  during  a recent 
attack  and  asking  the  doctors  to  advise  the  police  if  they  have  treated  anyone  with  such  injuries. 
Can  a doctor  who  suspects  that  one  of  his  patients  is  the  offender  disclose  information  to  the 
police? 

A Does  the  custodian  have  reasonable  grounds  to  believe  the  disclosure  will  avert  or  minimize  an 
imminent  threat  to  health  or  safety?  If  the  injury  is  so  distinct  that  it  is  unlikely  that  anyone 
but  the  rapist  would  have  sustained  the  injury,  disclosure  may  be  justified. 
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Notice  to  the  Recipient  of  the  Disclosure 

If  a custodian  discloses  individually  identifying  diagnostic  treatment  and  care  information,  the 
custodian  must  inform  the  recipient  in  writing  of  the  purpose  of  the  disclosure  and  the 
authority  under  which  the  disclosure  is  made. 

This  does  not  have  to  be  done  if  the  disclosure  is  to  another  custodian  for  the  purpose 
of  providing  a health  service. 

However,  in  many  of  the  preceding  examples  notice  would  have  to  be  given.  If  information 
were  disclosed  to  the  employer  in  the  bus  driver  example,  a notice  would  have  to  be 
given  as  well,  stating  that  the  information  was  being  disclosed  for  the  purpose  of  preserving 
public  safety  and  that  the  disclosure  was  authorized  by  the  Health  Information  Act. 

Notation  of  Disclosures 


If  a custodian  discloses  a record  that  contains  individually  identifying  diagnostic,  treatment  and 
care  information,  outside  of  the  controlled  arena,  the  custodian  must  log  that  disclosure.The 
log  must  contain: 

- the  name  of  the  person  to  whom  the  information  was  disclosed; 

- the  date  and  purpose  of  the  disclosure;  and 

- a description  of  the  information  disclosed. 

The  notation  must  be  retained  for  ten  years  and  the  person  who  is  the  subject  of  the 
information  may  seek  access  to  and  request  a copy  of  the  information. 

This  section  simply  allows  a patient  to  see  which,  if  any,  records  have  been  disclosed  and, 
if  they  have  been  disclosed,  to  whom  they  were  disclosed.  Remember  that  record  has  a 
specific  meaning  under  the  Act. 

Disclosure  for  Research  Purposes 

The  Act  contains  provisions  that  expressly  govern  the  disclosure  of  health  information  for 
research  purposes. These  provisions  require  the  submission  of  a proposal  to  an  ethics 
committee.  If  the  committee  approves  the  proposal,  the  researcher  may  ask  custodians  to 
disclose  information,  but  the  custodian  does  not  have  to  disclose  the  information. 

If  the  custodian  chooses  to  disclose  the  information,  an  agreement  outlining  the  ethic 
committee’s  conditions,  as  well  as  terms  protecting  the  information  and  the  identities  of 
the  persons  involved  in  the  research,  must  be  signed. 
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Right  of  access  to 
personal  health 
information 

General 


A person  has  a right  of  access  to  any  record  that  contains  health  information  about  that 
person  that  is  in  a custodians  custody  or  control.  If  a record  is  not  in  the  custodians  hands, 
but  the  custodian  has  the  power  to  retrieve  it, then  the  record  is  in  the  custodians  control. 
You  may  have  sent  a file  to  storage,  but  if  you  can  retrieve  it,  the  record  is  still  in  your  control. 

People  do  not  have  an  unrestricted  right  of  accesses  custodians  are  allowed  to 
refuse  access  in  certain  situations.The  Act  gives  people  a right  to  access  information,  not 
the  right  to  have  the  original  documents.  Partial  access  may  be  available  if  a custodian 
has  grounds  for  not  disclosing  some  information.  In  such  cases,  the  information  that  must 
not  be  disclosed  should  be  severed  from  the  record  and  the  remainder  should  be  disclosed. 

Custodians  may  charge  specified  fees  for  giving  access  (see  the  section  on  fees). 

The  right  of  access  is  generally  subject  to  the  payment  of  the  fee. 

Remember  that  you  have  a duty  to  make  a reasonable  effort  to  ensure  that  the 
information  is  disclosed  to  the  person  intended  and  authorized  to  receive  it.  If  you  are  a 
custodian  that  does  not  know  the  applicant  personally,  you  should  get  proper 
identification  before  releasing  the  information. 

What  is  a Record? 


The  Act  is  very  specific  about  what  a record  is.  Obvious  records  are  such  things  as  notes, 
letters,  documents  and  x-rays.  Basically,  any  health  information  that  is  written, 
photographed,  recorded  or  stored  in  any  manner  is  a record.  Even  if  information 
is  only  stored  on  your  computer,  it  is  contained  in  a record.  Remember,  there  are  three 
types  of  health  information. 

If  a hard  copy  of  a record  does  not  exist,  but  can  be  created  from  information  that  is  in 
electronic  form  by  using  your  normal  computer  hardware  and  software  and  technical 
expertise,  then  you  must  create  a hard  copy  of  the  record  if  a person  wants  one.You  do 
not  have  to  do  this  if  creating  the  record  would  unreasonably  interfere  with  your  operations. 
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RIGHT  OF  ACCESS  TO  PERSONAL  HEALTH  INFORMATION 


Requests  for  Access 

The  Act  doesn’t  require  that  you  change  your  current  practices  for  release  of  information. 
However,  your  procedures  must  be  in  compliance  with  the  Health  Information  Act. 

A person  who  makes  a request  for  access  under  HIA  can  ask  for  a copy  of  the  record 
or  to  examine  the  record.  A custodian  may  require  the  person  to  make  the  request  in 
writing,  and  may  request  further  information  from  that  person  to  clarify  the  scope  of 
the  request.  The  custodian  must  make  every  reasonable  effort  to  respond  within 
30  days  of  receiving  the  request  People  do  not  have  to  explain  why  they  want  their 
personal  health  information. 


Requests  can  be  abandoned.  If  a custodian  requests  that  a person  pay  a fee  or  supply 
further  information  and  the  person  doesn’t  respond,  the  custodian  may  notify  the  person 
in  writing  that  the  request  has  been  abandoned.The  written  notice  must  also  advise  the 
person  that  he/she  can  ask  the  Commissioner  for  a review  of  the  custodian’s  decision. 

In  some  cases  a request  may  be  for  access  to  a record  that  contains  non-personal  health 
related  information  to  which  the  Freedom  of  Information  and  Protection  of  Privacy  Act 
(FOIP)  applies.  If  you  are  a custodian  that  is  also  a public  body  under  FOIP,  e.g.  a public 
hospital,  you  must  treat  that  part  of  the  request  as  a request  under  FOIP  and  the  provisions 
of  FOIP  apply  to  that  part  of  the  request. 

Responding  to  Requests  - What  You  Must  Do 

Custodians  must  make  every  reasonable  effort  to  assist  applicants  and  to  respond 
openly,  accurately  and  completely.  You  must,  where  it  is  reasonably  practicable, 
explain  any  term,  code  or  abbreviation  used  in  the  record  if  the  applicant  requests  it. 


Custodians 
must  assist 
people 
seeking 
access 


Remember  that,  where  practical,  you  must  create  a record  if  the  person  wants  one. 


You  must  make  every  reasonable  effort  to  respond  within  30  days  of  receiving 
the  request.  It  is  possible  to  extend  this  period  for  an  additional  30  days,  without 
Commissioner  approval,  for  the  following  reasons: 


▲ if  the  request  for  access  is  not  detailed  enough  for  you  to  identify  the  record; 
A if  a large  number  of  records  are  involved;  or 

A if  you  must  consult  with  another  custodian  to  determine  whether  access 
should  be  given. 

With  any  time  extension  you  must: 


A give  the  applicant  the  reason  for  the  extension; 

A tell  them  when  a response  can  be  expected;  and 
A advise  them  that  they  may  make  a complaint  to  the  Commissioner. 


If  you  do  not  respond  within  the  required  time,  you  are  deemed  to  have  refused 
access  to  the  applicant. 
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You  must  tell  the  applicant: 

- whether  you  will  give  access  to  all  or  part  of  the  record;  and 

- where,  when  and  how  access  will  be  given,  if  it  is  to  be  given. 

If  access  to  all  or  part  of  the  record  is  refused  you  must  tell  the  applicant: 

- the  reason(s)  for  the  refusal  and  the  provision(s)  of  the  Act  you  relied  on  for 
refusing  to  give  access; 

- the  name,  title,  business  address  and  phone  number  of  an  affiliate  who  can  answer 
questions  about  the  refusal;  and 

- that  the  applicant  may  ask  the  Commissioner  to  review  the  decision  to  refuse  access. 

You  Must  Refuse  Access 


A custodian  must  refuse  access  in  a number  of  situations.The  ones  most  likely  to  arise  are: 

▲ where  the  request  is  for  access  to  information  about  a person  other  than  the 
applicant  or  a person  acting  on  behalf  of  that  individual  (unless  the  information 
was  provided  by  the  applicant  in  the  first  place  in  the  context  of  a health  service 
being  provided  to  the  applicant); 

▲ where  disclosure  is  prohibited  by  another  law  of  Alberta  (e.g.  Freedom  of  Information 
& Protection  of  Privacy  Act,  Human  Tissue  Gift  Act);  or 

▲ where  the  information  sets  out  procedures  or  contains  results  of  an  investigation, 
discipline  proceeding,  practice  review  or  an  inspection  relating  to  a health 
services  provider. 
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RIGHT  OF  ACCESS  TO  PERSONAL  HEALTH  INFORMATION 


You  May  Refuse  Access 

A custodian  may  refuse  to  allow  access  in  a number  of  situations.The  ones  most  likely 
to  arise  are  where  the  disclosure  could  reasonably: 

▲ be  expected  to  result  in  immediate  and  grave  harm  to  the  applicant’s  mental 
or  physical  health  or  safety; 


•j 


▲ be  expected  to  threaten  the  mental  or  physical  health  or  safety  of  another 
individual; 

▲ be  expected  to  pose  a threat  to  public  safety; 

▲ lead  to  the  identification  of  a person  who  provided  health  information  to  the  custodian 
explicitly  or  implicitly  in  confidence  and  in  circumstances  in  which  it  was  appropriate 
that  the  person  s name  be  kept  confidential. 


Sever 

information 
that  should 
not  be 
disclosed 


Remember  that  if  you  can  sever  information  to  allow  partial  access  you  must  do  so. 


Discretionary  Refusal  of  Access  Due  to  a 
Threat  to  the  Safety  of  Another  Individual 

Sue's  husband  has  physically  abused  her  on  many  occasions.  After  the  last  episode  the  husband  was 
convicted  of  assault  and  ordered  to  take  a regional  health  authority  sponsored  anger  management 
program  and  stay  away  from  Sue.  Sue  has  since  left  her  husband  and  now  lives  alone,  but  her 
husband  suspects  she  is  "having  an  affair".  Sue  tells  a friend  that  her  husband  is  stalking  her  and 
on  a number  of  recent  occasions  the  friend  has  observed  the  husband  following  Sue.  Sue  and  her 
friend  report  this  to  the  husband's  counsellor  who  makes  a note  of  it  on  the  husband's  case  file  as 
it  indicates  the  mental  health  state  of  the  husband.  The  counsellor  raises  the  issue  at  the  husband's 
next  counselling  session.  The  husband  demands  to  know  who  told  the  counsellor  he  has  been 
following  his  wife.  The  husband  demands  access  to  the  counsellor's  notes  about  himself. 

Can  the  counsellor  refuse  to  provide  access  to  his  notes? 

A It  is  clear  the  husband  is  an  abusive  individual  and  could  pose  a danger  to  Sue  and  her  friend. 
The  counsellor  could  refuse  to  give  access  to  his  notes  on  that  basis  or  on  the  basis  that  they 
gave  the  information  to  the  counsellor  on  the  implied  condition  that  it  would  be  kept  confidential. 


A 
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Rita  is  an  elderly  patient  with  bipolar  disorder  and  a number  of  other  physical  ailments  that  require 
her  to  be  in  regular  contact  with  her  doctor  and  frequent  admissions  to  the  hospital.  Rita  has  never 
accepted  the  diagnosis  of  bipolar  disorder  and  becomes  very  agitated  and  distressed  when  it  is 
discussed.  She  is  unreliable  about  taking  her  medication  and  needs  monitoring.  Rita  has  asked  the 
hospital  for  access  to  her  records.  Should  the  hospital  allow  Rita  access  to  her  medical  records? 

▲ The  hospital  has  reservations  about  releasing  them  because  they  make  reference  to  her 

bipolar  disorder  and  contain  family  and  friends  names  who  have  participated  in  case  conferences. 
The  hospital  has  discussed  the  matter  with  Rita's  doctor.  The  doctor  believes  disclosure  may 
compromise  Rita's  health,  mentally  and  possibly  physically  as  her  compliance  with  treatment 
has  been  sporadic.  There  also  exists  the  possibility  that  if  Rita  were  to  find  out  the  names  of 
individuals  who  provided  information  about  her  during  case  conferences,  that  she  could  pose 
a physical  threat  to  them  based  on  her  past  behavioural  patterns  when  she  is  ill. 

A Under  these  circumstances  access  should  probably  not  be  granted.  However,  the  hospital 
must  decide  if  access  could  reasonably  be  expected  to  result  in  immediate  and  grave  harm. 
The  mental  distress  would  be  immediate,  but  is  it  grave?  It  is  arguable  whether  the  mental 
problems  that  could  result  from  her  withdrawal  of  medications  could  be  classified  as  either 
an  immediate  or  grave  danger  to  herself  or  others. 

A The  hospital  should  consider  whether  it  is  possible  to  sever  references  to  Rita's  treatment  for 
bipolar  disorder,  including  names  and  then  disclose  the  rest  of  her  records. 


The  Act  allows  custodians  to  charge  fees  for  providing  access  to  records.The  services  for 
which  fees  may  be  charged  and  the  amount  that  may  be  charged  are  specified  in  the  regulations. 

Custodians  must  give  an  estimate  of  the  total  fees  that  will  be  charged  before  providing 
the  services.The  regulations  specify  what  must  be  set  out  in  an  estimate. 

Custodians  have  the  discretion  to  excuse  an  applicant  from  paying  all  or  part  of 
the  fees.  If  an  applicant  asks  to  be  excused  from  paying  all  or  part  of  a fee  and  the 
custodian  refuses,  the  custodian  must  tell  the  applicant  that  they  can  have  that  decision 
reviewed  by  the  Commissioner. 
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HEALTH  INFORMATION 


CORRECTING  OR  AMENDING  HEALTH  INFORMATION 


Correcting  or  amending 
health  information 

General 


A person  who  believes  that  his  or  her  health  information  contains  an  error  or  omission  Patients  can 

may  request  that  the  custodian  who  has  custody  or  control  of  that  information  correct  ask  for 

or  amend  it.The  request  must  be  in  writing.  personal 

health 

Remember  that  custodians  have  a duty  to  ensure  that  personal  health  information  is  information 

accurate  and  complete.  to  be 

corrected 

As  with  requests  for  access,  the  custodian  has  30  days  to  make  the  correction  or 
amendment,  although  that  period  may  be  extended. 


If  the  custodian  agrees  to  make  the  change  or  amendment,  the  custodian  must  give  the 
applicant  written  notice  that  the  correction  or  amendment  has  been  made  and  notify 
any  person  to  whom  the  information  has  been  disclosed  (in  the  last  year  before  the 
correction  or  amendment  was  requested)  that  the  change  has  been  made.This  notice 
does  not  have  to  be  given  if  the  custodian  believes  that  not  giving  notice  will  not 
harm  the  applicant  and  the  applicant  agrees  that  they  will  not  be  harmed. 

A custodian  may  refuse  to  make  a correction  or  amendment  of  a professional 
opinion  or  observation  made  by  a health  services  provider  about  the  applicant  or 
of  a record  that  was  not  originally  created  by  the  custodian. 

Where  a patient  disagrees  with  a diagnosis  that  later  proves  to  have  been  incorrect,  you 
should  attach  a statement  correcting  the  earlier  diagnosis  and  notify  anybody  to  whom 
the  information  was  previously  disclosed.  Removing  all  reference  to  the  earlier  diagnosis 
could  make  the  record  incomplete,  as  there  would  be  nothing  to  explain  any  treatment 
that  was  given  on  the  basis  of  that  diagnosis. 

If  the  custodian  fails  to  respond  to  a request  it  is  deemed  to  have  refused  to  make 
the  correction  or  amendment. 

If  the  custodian  refuses  to  make  the  correction  or  amendment,  the  custodian  must,  within  the 
thirty-day  period  (or  during  the  extended  period),  tell  the  applicant  of  the  refusal  to 
correct  or  amend  and  give  the  reasons  for  refusing. 
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A custodian  who  refuses  to  make  a requested  change  or  amendment  must  also 
advise  the  applicant  that  he  or  she  may  do  one  of  two  things: 

A ask  the  Commissioner  to  review  the  custodian  s decision;  or 

A submit  a statement  of  disagreement  setting  out  the  requested  change  or 
amendment  and  their  reasons  for  disagreeing  with  the  custodian’s  decision  not  to 
make  the  change  or  amendment. 


If  a statement  for  amendment  or  change  is  submitted  the  custodian  must  attach  it  to  the 
record  (if  reasonably  practicable)  and  send  the  statement  to  any  person  to  whom  the 
custodian  has  disclosed  the  record  in  the  year  preceding  the  request  for  the  change 
or  amendment. 


A 


EXAMPLE  20 


Correcting  a Disputed  Diagnosis 


A patient  presents  with  an  unexplained  illness  at  a hospital.  A diagnosis  of  acute  anxiety  attack  is 
made,  and  a course  of  psychiatric  counselling  is  recommended.  The  patient  consults  an  independent 
psychiatrist  who  renders  a different  diagnosis.  The  patient  requests  the  hospital  remove  the 
reference  to  the  diagnosis  from  the  hospital  records.  The  hospital  refuses  to  do  so  because  it 
represents  a clinical  opinion  and  the  subsequent  course  of  treatment  provided  to  the  patient  based 
on  that  clinical  opinion.  What  options  does  the  patient  have? 

A The  custodian  must  advise  the  patient  that  they  can  ask  the  Commissioner  to  review  the 
custodian's  decision;  or 

A It  would  be  appropriate  to  ask  the  patient  if  he  or  she  would  like  a statement  of  disagreement 
attached  to  the  chart.  The  hospital  could  offer  to  help  prepare  a statement  that  includes  the 
independent  psychiatrist's  diagnosis. 
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Reviews  by  the 
Commissioner 

General 


The  Commissioner  is  the  Information  and  Privacy  Commissioner  appointed  under 
the  Freedom  of  Information  and  Protection  of  Privacy  Act. 

The  Commissioner  is  independent  from  government  and  has  the  power  to  review 
the  conduct  of  custodians.  In  particular  the  Commissioner  may  review: 

A any  decision,  act  or  failure  to  act  by  a custodian  who  has  been  asked  to  give  access 
to  or  correct  or  amend  a record  by  the  person  who  is  the  subject  of  the  record; 

A a claim  by  an  individual  that  his  or  her  health  information  has  been  improperly 
collected,  used  or  disclosed;  and 

A a decision  by  one  custodian  to  refuse  to  disclose  information  to  another  custodian. 

A person  must  give  a written  request  to  the  Commissioner  in  order  to  ask  for  a review. 

The  Commissioner  may  authorize  a mediator  to  investigate  and  attempt  to  settle  a 
dispute,  but  if  it  cannot  be  settled  the  Commissioner  must  (generally)  conduct  an  inquiry 
and  make  an  order  disposing  of  the  issues. 

The  Commissioner  may  also  investigate  and  attempt  to  resolve  complaints  that: 

- a duty  to  assist  a person  who  has  applied  for  access  has  not  been  performed; 

- there  has  been  an  improper  extension  of  time  for  responding  to  a request; 

- a fee  charged  under  the  Act  is  inappropriate; 

- a correction  or  amendment  of  health  information  has  been  improperly  refused;  or 

- a custodian  has  improperly  collected,  used,  disclosed  or  created  health  information. 

Whistleblower  Protection 


The 

Commissioner 

is 

independent 

and 

impartial 


An  affiliate,  acting  in  good  faith,  may  tell  the  Commissioner  about  any  health  information 
that  the  affiliate  believes  is  being  collected,  used  or  disclosed  by  a custodian  in 
contravention  of  the  Act. 

The  Commissioner  must  investigate  and  review  such  allegations  and  may  not  disclose 
the  identity  of  the  affiliate  without  his  or  her  consent. 

No  custodian  or  person  acting  on  the  custodian’s  behalf  may  do  anything  such  as  fire  or 
discipline  an  affiliate  for  disclosing  information  to  the  Commissioner. 
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HIA  at  a Glance 


This  section  is  intended  to  provide  a quick  overviev 


The  Act  sets  out  the  rules  respecting  the  collection,  use  and  disclosure  of  health  information  by  “custodians”. 
Certain  health  service  providers  in  Alberta  are  custodians  under  the  Act.  Many  health  service  providers 
are  probably  already  following  similar  rules  according  to  their  professional  standards. 


General  Rules 


▲ You  must  safeguard  the  health  information  you  hold. 

▲ Provide  anonymous  information  whenever  possible. 

▲ Only  disclose  what  is  needed  to  do  the  job,  no  more. 

A Only  provide  information  to  those  with  a need  to  know. 

Collection  of  Health  Information 


A Collect  only  what  you  need  to  provide  care. 

A Collect  directly  from  the  patient  whenever  possible. 

Patient  Access  to  Their  Own  Health  Information 


A Patients  have  a legal  right  to  see  or  obtain  copies  of  their  personal  health  information. 

A You  have  a duty  to  help  patients  with  their  requests.You  must  explain  abbreviations  and  terms  to 
your  patients. 

A You  have  to  respond  to  access  requests  within  30  days. 

A You  can  charge  a fee  for  access,  according  to  the  schedule  that  is  set  out  in  the  regulations. 

A In  some  circumstances,  you  can  refuse  access,  for  example  when  access  may  cause  harm. 

A If  a patient  disagrees  with  your  decision,  an  appeal  can  be  made  to  the  Information  and 
Privacy  Commissioner. 

Corrections  to  Health  Information 


A Patients  have  a right  to  ask  for  a correction  to  their  information. 

A You  can  refuse  to  correct,  for  example  where  the  correction  involves  your 
professional  opinion. 

A Patients  can  ask  the  Information  and  Privacy  Commissioner  to  review  your  decision 
or  submit  a statement  of  disagreement. 


Use  of  Health  Information 


A You  can  use  health  information  without  consent  for  the  following  purposes: 

A Providing  health  services, 

A Determining  eligibility  for  health  services, 

A Conducting  formal  investigations,  disciplinary  proceedings,  practice  reviews  and  inspections, 
A Conducting  authorized  research, 

A Providing  health  service  provider  education, 

A Complying  with  another  piece  of  legislation,  and 

A Managing  internal  operations  such  as  planning  and  allocating  resources,  quality 
improvement,  program  evaluation  and  obtaining  payment  for  services. 
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Disclosure  of  Health  Information 


▲ You  can  disclose  a patient’s  health  information  with  consent. 

▲ Make  sure  you  are  disclosing  to  the  correct  patient*  or  custodian. 

▲ Be  reasonably  sure  the  information  is  accurate. 

A Keep  a log  of  the  disclosures  you  make.  A simple  notation  in  the  chart  is  acceptable. 

A You  may  disclose  without  consent  (though  you  are  not  required  to  disclose)  to  the  following  people: 
A Continuing  care  & treatment  providers, 

A Health  professional  bodies,  auditors  and  quality  assurance  committees, 

A Researchers,  subject  to  an  ethics  review, 

A Entities  authorized  to  obtain  information  or  disclosures  required  by  other 
legislation,  e.g.,  courts  and  subpoenas, 

A Family  members  in  certain  circumstances, 

A Individuals  or  authorized  representatives  of  individuals, 

A Persons  acting  in  the  best  interests  of  an  incompetent  individual, 

A Police,  when  investigating  a life  threatening  injury  to  the  individual, 

A Any  person,  to  avert  or  minimize  an  imminent  danger, 

A Another  custodian,  to  prevent  fraud  or  detect  abuse  of  health  services,  and 
A Another  custodian  or  successor  of  a custodian. 

A (Note  that  the  HIA  itself  does  not  require  you  to  disclose,  although  in  some  of  these  cases,  other 
legislation  does  make  disclosure  mandatory) 

There  are  also  specific  exceptions  for  disclosure  without  consent  that  apply  to  registration  information  and 
health  service  provider  information. 

You  will  continue  to  handle  a lot  of  requests  as  you  have  done  in  the  past,  using  common 
sense  and  professional  standards. 

* The  word  ‘patient’  is  used  to  include  reference  to  others  that  are  authorized  to  exercise  rights  on 
behalf  of  a patient.  Examples  include  a parent  on  behalf  of  a child,  a guardian  or  trustee  on  behalf  of 
a mentally  incompetent  patient  and  a personal  representative  on  behalf  of  a deceased  patient. 
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Conclusion 


The  Health  Information  Act  is  a new  piece  in  an  existing  framework  of  legal  and  ethical  standards  that 
are  utilized  in  the  day  to  day  management  of  those  needing  care  and  treatment.  Understanding  the 
Act  will  assist  in  making  sense  of  the  larger  framework.  Common  sense  is  perhaps  the  best  entry  point  to 
understanding  the  Act.  If  an  interpretation  of  the  Act  seems  to  lead  to  a strange  result,  it  may  not  be 
correct. 

If  guidance  is  needed  on  specific  issues,  custodians  can  call  the  Office  of  the  Information  and 
Privacy  Commissioner  at:  780-422-6860. 

Comments  on  the  guide  are  welcomed.  Please  direct  them  to: 

The  Office  of  the  Information  and  Privacy  Commissioner 
#410,  9925-  109  St. 

Edmonton, AB 
T5K  2J8 
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Glossary 

affiliate,  in  relation  to  a custodian,  includes 

(i)  an  individual  employed  by  the  custodian, 

(ii)  a person  who  performs  a service  for  the  custodian  as  an  appointee,  volunteer  or 
student  or  under  a contract  or  agency  relationship  with  the  custodian,  and 

(iii)  a health  services  provider  who  has  the  right  to  admit  and  treat  patients  at  a 
hospital  as  defined  in  the  Hospitals  Act,  but  does  not  include 

(iv)  an  operator  as  defined  in  the  Ambulance  Services  Act,  or 

(v)  an  agent  as  defined  in  the  Health  Insurance  Premiums  Act; 

collect  means  to  gather,  acquire,  receive  or  obtain  health  information; 

Commissioner  means  the  Information  and  Privacy  Commissioner  appointed  under  Part  3 
of  the  Freedom  of  Information  and  Protection  of  Privacy  Act; 

custodian  means 

(i)  the  board  of  an  approved  hospital  as  defined  in  the  Hospitals  Act  other  than 
an  approved  hospital  that  is 

(A)  owned  and  operated  by  a regional  health  authority  established  under 
the  Regional  Health  Authorities  Act,  or 

(B)  established  and  operated  by  the  Alberta  Cancer  Board  continued  under 
the  Cancer  Programs  Act; 

(ii)  the  operator  of  a nursing  home  as  defined  in  the  Nursing  Homes  Act  other  than 
a nursing  home  that  is  owned  and  operated  by  a regional  health  authority 
established  under  the  Regional  Health  Authorities  Act; 

(iii)  a provincial  health  board  established  pursuant  to  regulations  made  under 
section  17  of  the  Regional  Health  Authorities  Act; 

(iv)  a regional  health  authority  established  under  the  Regional  Health  Authorities  Act; 

(v)  a community  health  council  as  defined  in  the  Regional  Health  Authorities  Act; 

(vi)  a subsidiary  health  corporation  as  defined  in  the  Regional  Health  Authorities  Act; 

(vii)  the  Alberta  Cancer  Board  continued  under  the  Cancer  Programs  Act; 

(viii)  a board,  council,  committee,  commission,  panel  or  agency  that  is  created  by  a 

custodian  referred  to  in  subclauses  (i)  to  (vii),  if  all  or  a majority  of  its  members 
are  appointed  by,  or  on  behalf  of,  that  custodian,  but  does  not  include  a committee 
that  has  as  its  primary  purpose  the  carrying  out  of  quality  assurance  activities 
within  the  meaning  of  section  9 of  the  Alberta  Evidence  Act; 

(ix)  a health  services  provider  who  is  paid  under  the  Alberta  Health  Care  Insurance 
Plan  to  provide  health  services; 
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(x)  a licensed  pharmacy  as  defined  in  the  Pharmaceutical  Profession  Act; 

(xi)  a pharmacist  as  defined  in  the  Pharmaceutical  Profession  Act; 

(xii)  the  Department; 

(xiii)  the  Minister; 

(xiv)  an  individual  or  board,  council,  committee,  commission,  panel,  agency,  or  corporation 
designated  in  the  regulations  as  a custodian; 

but  does  not  include 

(xv)  the  Alberta  Alcohol  and  Drug  Abuse  Commission  continued  under  the  Alcohol  and 
Drug  Abuse  Act,  or 

(xvi)  a Community  Board  or  a Facility  Board,  as  those  terms  are  defined  in  the  Persons  with 
Developmental  Disabilities  Community  Governance  Act; 

diagnostic,  treatment  and  care  information  means  information  about  any  of  the  following: 

(i)  the  physical  and  mental  health  of  an  individual; 

(ii)  a health  service  provided  to  an  individual; 

(iii)  the  donation  by  an  individual  of  a body  part  or  bodily  substance,  including  information 
derived  from  the  testing  or  examination  of  a body  part  or  bodily  substance; 

(iv)  a drug  as  defined  in  the  Pharmaceutical  Profession  Act  provided  to  an  individual; 

(v)  a health  care  aid,  device,  product,  equipment  or  other  item  provided  to  an 
individual  pursuant  to  a prescription  or  other  authorization; 

(vi)  the  amount  of  any  benefit  paid  or  payable  under  the  Alberta  Health  Care  Insurance  Act  or  any 
other  amount  paid  or  payable  in  respect  of  a health  service  provided  to  an  individual, 

and  includes  any  other  information  about  an  individual  that  is  collected  when  a health 
service  is  provided  to  the  individual  but  does  not  include  information  that  is  not  written, 
photographed,  recorded  or  stored  in  some  manner  in  a record; 

health  information  means  any  or  all  of  the  following: 

(i)  diagnostic,  treatment  and  care  information; 

(ii)  health  services  provider  information; 

(ii)  registration  information; 

health  service  means  a service  that  is  provided  to  an  individual 

(i)  for  any  of  the  following  purposes  and  is  directly  or  indirectly  and  fully  or  partially  paid 
for  by  the  Department  (of  Health  and  Wellness): 

(A)  protecting,  promoting  or  maintaining  physical  and  mental  health; 

(B)  preventing  illness; 

(C)  diagnosing  and  treating  illness; 
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(D)  rehabilitation; 


or 


(E)  caring  for  the  health  needs  of  the  ill,  disabled  injured  or  dying; 
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(ii)  by  a pharmacist  engaging  in  the  practice  of  pharmacy  as  defined  in  the  Pharmaceutical 
Profession  Act  regardless  of  how  the  service  is  paid  for, 

but  does  not  include  a service  that  is  provided  to  an  individual 

(iii)  by  an  ambulance  attendant  as  defined  in  the  Ambulance  Services  Act, 

(iv)  by  the  Alberta  Alcohol  and  Drug  Abuse  Commission  continued  under  the  Alcohol  and 
Drug  Abuse  Act,  or 

(v)  by  a Community  Board  or  a Facility  Board,  as  those  terms  are  defined  in  the  Persons 
with  Developmental  Disabilities  Community  Governance  Act; 

health  services  provider  means  an  individual  who  provides  health  services; 

health  services  provider  information  means  the  following  information  relating  to  a 
health  services  provider: 

(i)  name; 

(ii)  business  and  home  mailing  addresses  and  electronic  addresses; 

(iii)  business  and  home  telephone  numbers  and  facsimile  numbers; 

(iv)  gender; 

(v)  date  of  birth; 

(vi)  unique  identification  number  that 

(A)  is  assigned  to  the  health  services  provider  by  a custodian  for  the  purpose  of  the 
operations  of  the  custodian,  and 

(B)  uniquely  identifies  the  health  services  provider  in  relation  to  that  custodian; 

(vii)  type  of  health  services  provider  and  licence  number  , if  a licence  has  been  issued  to 
the  health  services  provider; 

(viii)  date  on  which  the  health  services  provider  became  authorized  to  provide  health  services 
and  the  date,  if  any,  on  which  the  health  services  provider  ceased  to  be  authorized  to 
provide  health  services; 

(ix)  education  completed,  including  entry  level  competencies  attained  in  a basic  education 
program  and  post-secondary  educational  degrees,  diplomas  or  certificates  completed; 

(x)  continued  competencies,  skills  and  accreditations,  including  any  specialty  or  advanced 
training  acquired  after  completion  of  the  education  referred  to  in  subclause 

(ix),  and  the  dates  they  were  acquired; 

(xi)  restrictions  that  apply  to  the  health  services  providers  right  to  provide  health  services 
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(xii)  decisions  of  a health  professional  body,  or  any  other  body  at  an  appeal  of  a decision  of 
a health  professional  body,  pursuant  to  which  the  health  professionals  right  to  provide 
health  services  in  Alberta  is  suspended  or  cancelled  or  made  subject  to  conditions, 
or  a reprimand  or  fine  is  issued; 

(xiii)  business  arrangements  relating  to  the  payment  of  the  health  services  providers  ac 
counts; 

(xiv)  profession; 

(xv)  job  classification; 

(xvi)  employment  status; 

(xvii)  number  of  years  the  health  services  provider  has  practiced  the  profession; 

(xviii)employer; 

(xix)  municipality  in  which  the  health  services  providers  practice  is  located  but  does  not 
include  information  that  is  not  written,  photographed,  recorded  or  stored  in  some 
manner  in  a record; 

individually  identifying,  when  used  to  describe  health  information,  means  that  the  identity  of 
the  individual  who  is  the  subject  of  the  information  can  be  readily  ascertained  from  the  information; 

non-identifying,  when  used  to  describe  health  information,  means  that  the  identity  of  the  individual 
who  is  the  subject  of  the  information  cannot  be  readily  ascertained  from  the  information; 

personal  health  number  means  the  number  assigned  to  an  individual  by  the  Department  to  uniquely 
identify  the  individual; 

record  means  a record  of  health  information  in  any  form  and  includes  notes,  images,  audio-visual 
recordings,  x-rays,  books,  documents,  maps,  drawings,  photographs,  letters,  vouchers  and  papers  and 
any  other  information  that  is  written,  photographed,  recorded  or  stored  in  any  manner,  but  does  not 
include  software  or  any  mechanism  that  produces  records; 

registration  information  means  information  relating  to  an  individual  that  falls  within  the  following 
general  categories  and  is  more  specifically  described  in  the  regulations: 

(i)  demographic  information,  including  the  individuals  personal  health  number; 

(ii)  location  information; 

(iii)  telecommunications  information; 

(iv)  residency  information; 

(v)  health  service  eligibility  information; 

(vi)  billing  information;  but  does  not  include  information  that  is  not  written,  photographed, 
recorded  or  stored  in  some  manner  in  a record; 

use  means  to  apply  health  information  for  a purpose  and  includes  reproducing 
information,  but  does  not  include  disclosing  information. 
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